Analysis Overview
SHA256
d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8
Threat Level: Known bad
The file d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SectopRAT payload
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Detects Healer an antivirus disabler dropper
DcRat
Modifies Windows Defender Real-time Protection settings
RedLine
Healer
Glupteba
Amadey
SmokeLoader
SectopRAT
Stops running service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Drops file in Drivers directory
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 21:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 21:44
Reported
2023-10-10 21:47
Platform
win10v2004-20230915-en
Max time kernel
127s
Max time network
151s
Command Line
Signatures
Amadey
DcRat
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5320 created 676 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5320 created 676 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5320 created 676 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5320 created 676 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AA18.bat | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FCC0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DF.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\A35F.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AF69.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\source1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AFB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E19.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe
"C:\Users\Admin\AppData\Local\Temp\d5716c2d2f547301ff0b322f76d2a7d012e3e3c0146ef040492ca327cdfef8d8.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 680 -ip 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40DC.tmp\40DD.tmp\40DE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11110459970800923757,14463519812136531172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\A35F.exe
C:\Users\Admin\AppData\Local\Temp\A35F.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe
C:\Users\Admin\AppData\Local\Temp\A6EA.exe
C:\Users\Admin\AppData\Local\Temp\A6EA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe
C:\Users\Admin\AppData\Local\Temp\AA18.bat
"C:\Users\Admin\AppData\Local\Temp\AA18.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 440 -ip 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4124 -ip 4124
C:\Users\Admin\AppData\Local\Temp\AE11.exe
C:\Users\Admin\AppData\Local\Temp\AE11.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1912 -ip 1912
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC1A.tmp\AC2A.tmp\AC2B.bat C:\Users\Admin\AppData\Local\Temp\AA18.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 540
C:\Users\Admin\AppData\Local\Temp\AF69.exe
C:\Users\Admin\AppData\Local\Temp\AF69.exe
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1076 -ip 1076
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 416
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dd7746f8,0x7ff9dd774708,0x7ff9dd774718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14571124730971340758,5757114002690927345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\FCC0.exe
C:\Users\Admin\AppData\Local\Temp\FCC0.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\4DF.exe
C:\Users\Admin\AppData\Local\Temp\4DF.exe
C:\Users\Admin\AppData\Local\Temp\AFB.exe
C:\Users\Admin\AppData\Local\Temp\AFB.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\E19.exe
C:\Users\Admin\AppData\Local\Temp\E19.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5356 -ip 5356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 792
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 27.30.240.157.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| CZ | 157.240.30.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.30.240.157.in-addr.arpa | udp |
| CZ | 157.240.30.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tak.soydet.top | udp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| FI | 95.217.246.182:8443 | tak.soydet.top | tcp |
| US | 8.8.8.8:53 | 182.246.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | hawsteamjoak.fun | udp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
| US | 188.114.96.0:80 | hawsteamjoak.fun | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
| MD5 | bd84a04ac75df534dcb37b26ea39059d |
| SHA1 | d40c39fbf1509f00d71b9c3e9b6910d9774e45e0 |
| SHA256 | 0099b72b5a3ffc5c504ec63bc500a77c092fd84bd58c39d4ad6fa46ac7b8f54a |
| SHA512 | 8262e62ed326b43df9e9919524f7849103ec2d409e1524f4c440e92d89b327782204433a3aabd7c206e9c8b10290b3a9d85498a9a1398e7f87d5f1538c07351a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GG2Ha09.exe
| MD5 | bd84a04ac75df534dcb37b26ea39059d |
| SHA1 | d40c39fbf1509f00d71b9c3e9b6910d9774e45e0 |
| SHA256 | 0099b72b5a3ffc5c504ec63bc500a77c092fd84bd58c39d4ad6fa46ac7b8f54a |
| SHA512 | 8262e62ed326b43df9e9919524f7849103ec2d409e1524f4c440e92d89b327782204433a3aabd7c206e9c8b10290b3a9d85498a9a1398e7f87d5f1538c07351a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
| MD5 | a5c9523adbdf9d9864c2171e2be754bb |
| SHA1 | c58b60acda25391f3db23bc487eec2215c16a5c4 |
| SHA256 | 1151dff49079d286fb7261cbea8c10e833a1ab5a9fd570606eb9ec48212ea93c |
| SHA512 | 40090d91adbfdd721f87a5797b86ba5a69b2a1bec3e909b5bce411f1654138e5bca63b0cc969507ecf21702a1e63e801cb2177585fe9fd319bc844db56c1db37 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XD1Kq18.exe
| MD5 | a5c9523adbdf9d9864c2171e2be754bb |
| SHA1 | c58b60acda25391f3db23bc487eec2215c16a5c4 |
| SHA256 | 1151dff49079d286fb7261cbea8c10e833a1ab5a9fd570606eb9ec48212ea93c |
| SHA512 | 40090d91adbfdd721f87a5797b86ba5a69b2a1bec3e909b5bce411f1654138e5bca63b0cc969507ecf21702a1e63e801cb2177585fe9fd319bc844db56c1db37 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
| MD5 | 163a39d5a12dd7e36814989ced51fcb2 |
| SHA1 | 47c244ab1062f1b71e649f61d25978663f833405 |
| SHA256 | a4d12c838e982b93343141a80467ebdf8846075fe678c4f9ccd117b93f1e05b6 |
| SHA512 | 8ee5f89ede1ef571d5a45a356c491a0345fb433ba084d8d6d92ecbce474d9a9c007b258c1f587bceab5663952ecc9e3601dea3f3907125d43f827e63ca2908df |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uD5ES53.exe
| MD5 | 163a39d5a12dd7e36814989ced51fcb2 |
| SHA1 | 47c244ab1062f1b71e649f61d25978663f833405 |
| SHA256 | a4d12c838e982b93343141a80467ebdf8846075fe678c4f9ccd117b93f1e05b6 |
| SHA512 | 8ee5f89ede1ef571d5a45a356c491a0345fb433ba084d8d6d92ecbce474d9a9c007b258c1f587bceab5663952ecc9e3601dea3f3907125d43f827e63ca2908df |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Aj29Iy7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/3732-28-0x00000000745D0000-0x0000000074D80000-memory.dmp
memory/3732-29-0x0000000004930000-0x0000000004940000-memory.dmp
memory/3732-30-0x0000000002280000-0x000000000229E000-memory.dmp
memory/3732-31-0x0000000004930000-0x0000000004940000-memory.dmp
memory/3732-32-0x0000000004980000-0x0000000004F24000-memory.dmp
memory/3732-33-0x0000000004910000-0x000000000492C000-memory.dmp
memory/3732-37-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-49-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-47-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-51-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-45-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-55-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-61-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-59-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-57-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-53-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-43-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-41-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-39-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-35-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-34-0x0000000004910000-0x0000000004926000-memory.dmp
memory/3732-62-0x00000000745D0000-0x0000000074D80000-memory.dmp
memory/3732-63-0x0000000004930000-0x0000000004940000-memory.dmp
memory/3732-65-0x00000000745D0000-0x0000000074D80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
| MD5 | 9c28b020233d996a81f1aadc2c99d684 |
| SHA1 | b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c |
| SHA256 | 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5 |
| SHA512 | 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rf9479.exe
| MD5 | 9c28b020233d996a81f1aadc2c99d684 |
| SHA1 | b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c |
| SHA256 | 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5 |
| SHA512 | 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7 |
memory/4488-69-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4488-70-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4488-71-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4488-73-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
| MD5 | d10f16c23811c0b3a027f827e821d67f |
| SHA1 | 306ef00dc0683f682be9b0c92299c1f08541823b |
| SHA256 | 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733 |
| SHA512 | 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nV70HK.exe
| MD5 | d10f16c23811c0b3a027f827e821d67f |
| SHA1 | 306ef00dc0683f682be9b0c92299c1f08541823b |
| SHA256 | 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733 |
| SHA512 | 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d |
memory/1656-77-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1656-78-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
| MD5 | ce5724ed62569c79d5828db35e5e620b |
| SHA1 | 12321d5ab64eeee54ea7ef6cbace1607043d8a12 |
| SHA256 | 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9 |
| SHA512 | 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hp031bP.exe
| MD5 | ce5724ed62569c79d5828db35e5e620b |
| SHA1 | 12321d5ab64eeee54ea7ef6cbace1607043d8a12 |
| SHA256 | 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9 |
| SHA512 | 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2 |
memory/1380-82-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1380-83-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/1380-84-0x0000000007840000-0x00000000078D2000-memory.dmp
memory/1380-85-0x0000000007A40000-0x0000000007A50000-memory.dmp
memory/1380-86-0x0000000007920000-0x000000000792A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
| MD5 | 7d2976ebcbeec2bee0e2c1a368328785 |
| SHA1 | 52f20fb7b1b40c606c77a2fb0338e3231049f3c3 |
| SHA256 | 5ce25380809d6cd8b2ab07b1ceb38f8fc73211b3b2caba8139a32d7b489bb64a |
| SHA512 | dc485028632fe80a5624028f601e1c59e25590e3227e6df9e74cf0c2cfd27daea7ace5a58a6825430d1060d5f157450e0b6c8c7a1faf38cce7d5c3e2a9ebd384 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5EP7ju9.exe
| MD5 | 7d2976ebcbeec2bee0e2c1a368328785 |
| SHA1 | 52f20fb7b1b40c606c77a2fb0338e3231049f3c3 |
| SHA256 | 5ce25380809d6cd8b2ab07b1ceb38f8fc73211b3b2caba8139a32d7b489bb64a |
| SHA512 | dc485028632fe80a5624028f601e1c59e25590e3227e6df9e74cf0c2cfd27daea7ace5a58a6825430d1060d5f157450e0b6c8c7a1faf38cce7d5c3e2a9ebd384 |
memory/1380-91-0x00000000088E0000-0x0000000008EF8000-memory.dmp
memory/1380-92-0x0000000007BD0000-0x0000000007CDA000-memory.dmp
memory/1380-93-0x0000000007B00000-0x0000000007B12000-memory.dmp
memory/1380-94-0x0000000007B60000-0x0000000007B9C000-memory.dmp
memory/1380-95-0x00000000082C0000-0x000000000830C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\40DC.tmp\40DD.tmp\40DE.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7a602869e579f44dfa2a249baa8c20fe |
| SHA1 | e0ac4a8508f60cb0408597eb1388b3075e27383f |
| SHA256 | 9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5 |
| SHA512 | 1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
\??\pipe\LOCAL\crashpad_2016_KWPJZFPCZXUSNFFH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bf8926cd95cacb239bdb2f707ebad786 |
| SHA1 | cb6061a0987b63f342d1f20a2a68dafe79484fd5 |
| SHA256 | 4523362d14c5398c7c4c50822844cd5b98a83e04c1719e77fbc5d77317b6f5c5 |
| SHA512 | c240d0af841081bf1b91fdd340510fedf33875681788d699cc9d3eacac266caa0d12635c2fac9f34b514bdd82281f86d0992e8796a54b06e5236ed327be0f7d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 344e56d568bf1836c2f2592daf1ca9e9 |
| SHA1 | 753c908633491b3cc9c485246422cc1b7dc635d9 |
| SHA256 | e42ff9912d884c2859167d41c63b54e77d0fad0aa404b115fd6f689d62af78dc |
| SHA512 | 95126411b5f33a2c64016fa6e06f39e9f8610745b988c95c67c962c9683c1a37ad4953b8b29830cfa000c27c72a2a29003afdab4fef4aeb8328b3fa4b5e7fef5 |
memory/676-146-0x0000000008000000-0x0000000008016000-memory.dmp
memory/1656-148-0x0000000000400000-0x0000000000409000-memory.dmp
\??\pipe\LOCAL\crashpad_4740_ZQMMRQHDUIWGBSEN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1380-185-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/1380-189-0x0000000007A40000-0x0000000007A50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 42f4f48a728a84bb1df4b9d62eb1b062 |
| SHA1 | 4c6bbc0454312b1566503c55e624a657546df671 |
| SHA256 | 8f36fd7b10955b2cab13d99d57385db77c277ba7499c32b5fbffd5668afd0865 |
| SHA512 | 81af8928f78a2ada531da779866d6e99447704893325de64a69e4ba4df1aca622ad0b628b75fc70bf5b1ba7b6926cac3eecc385e83032c706f81da4756b55d9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 344e56d568bf1836c2f2592daf1ca9e9 |
| SHA1 | 753c908633491b3cc9c485246422cc1b7dc635d9 |
| SHA256 | e42ff9912d884c2859167d41c63b54e77d0fad0aa404b115fd6f689d62af78dc |
| SHA512 | 95126411b5f33a2c64016fa6e06f39e9f8610745b988c95c67c962c9683c1a37ad4953b8b29830cfa000c27c72a2a29003afdab4fef4aeb8328b3fa4b5e7fef5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 152e1a9b7cc28c7b2690d56bec9a74bf |
| SHA1 | 467323002bf73718859b9b291cc7414e05eb15d2 |
| SHA256 | 0ddf3ada25a5d50157b77d1cbc42d7db955732fda9a37325d098393c0e9e024b |
| SHA512 | 32ecf32f2c560343fc28b0e4a9c2fd2cf1e3e7d8113d93adb5d1c70553dc65b0e630d7a75dbd258eb1e8cfe8bd7decac8c66886ecdf1446528a9e4c82221c65d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 10f5b64000466c1e6da25fb5a0115924 |
| SHA1 | cb253bacf2b087c4040eb3c6a192924234f68639 |
| SHA256 | d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b |
| SHA512 | 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c6c87ff253ad42d7c2ef86427878e7f9 |
| SHA1 | c69af9a70ad11c14da2493aeb6598c3f3ca5bcab |
| SHA256 | 8e306bfcae9ebbaa868895ebcdf80f78e69ac276315bbe0bada5f031b0faac07 |
| SHA512 | 7dfd6004028f738e48c32b392e3aa9ed2e3c528876285151f82eff391418f7b255d1e7852c8de7369ee200e107d7a8d076730516a117af984519c78d53b73e3a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6AH61ON.exe
| MD5 | 7802a3f5d42fb307b77ecf701c389369 |
| SHA1 | c92cd365bb856e800c651801011bde4804dfb777 |
| SHA256 | 56f619505c5efa9fbce22152753c044947bf6c3fb24bca5cc00613cbf523cfd6 |
| SHA512 | 8ef0492e515bbdbeecde1669232bbe607990d68d5d93d9f4cef9083a44e9d2fed87f908aec296dc0bc9e081698b9fc5e25c7daf0d43a3d889a662013c23bfcc2 |
C:\Users\Admin\AppData\Local\Temp\A35F.exe
| MD5 | 89a48ed8860af4dd35269854f550da62 |
| SHA1 | 62a29ce884d3bea870f89efaf9d6e95968ee5b6d |
| SHA256 | 8c3d60c8b7dd8b9dc44fb10601d544a5501916c7f8f0bcb94b645525a03a4355 |
| SHA512 | 1957b4fa414dd068d3ad30b3942dafaddf1b0ce61d89505e259b00ddda020590ea8462525ab681787f2b33252095408abf66113c9583527fc66453455e85292e |
C:\Users\Admin\AppData\Local\Temp\A35F.exe
| MD5 | 89a48ed8860af4dd35269854f550da62 |
| SHA1 | 62a29ce884d3bea870f89efaf9d6e95968ee5b6d |
| SHA256 | 8c3d60c8b7dd8b9dc44fb10601d544a5501916c7f8f0bcb94b645525a03a4355 |
| SHA512 | 1957b4fa414dd068d3ad30b3942dafaddf1b0ce61d89505e259b00ddda020590ea8462525ab681787f2b33252095408abf66113c9583527fc66453455e85292e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe
| MD5 | 35f0e263c3fdd7d1f5cf0e48f6196701 |
| SHA1 | c973ab2fb12b6719b94c2690f0c9b107611dbe7f |
| SHA256 | 872e70681e54b3fba5dc42bc3d4fdb0f23a2f2ee97ecc3ded1f00fec3b47fb91 |
| SHA512 | d71fecb9284bbc055484562c28d78bf5787c344243b8f8cf2343927b6a649d20de1fce7366db4a9da11e16b0b0977a01f57329cdd20183a5a97a255e9b53297d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jj1mx0an.exe
| MD5 | 35f0e263c3fdd7d1f5cf0e48f6196701 |
| SHA1 | c973ab2fb12b6719b94c2690f0c9b107611dbe7f |
| SHA256 | 872e70681e54b3fba5dc42bc3d4fdb0f23a2f2ee97ecc3ded1f00fec3b47fb91 |
| SHA512 | d71fecb9284bbc055484562c28d78bf5787c344243b8f8cf2343927b6a649d20de1fce7366db4a9da11e16b0b0977a01f57329cdd20183a5a97a255e9b53297d |
C:\Users\Admin\AppData\Local\Temp\A6EA.exe
| MD5 | 9c28b020233d996a81f1aadc2c99d684 |
| SHA1 | b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c |
| SHA256 | 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5 |
| SHA512 | 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe
| MD5 | 23237e2630125121aed197aaf0fc87dd |
| SHA1 | c755798953785a065241df452a349ac5d88a402f |
| SHA256 | 3a2a5abb0ef67bd8a68db1a6a5e9d0aaa037701dbc1465f8d4ada3ffe0c2df75 |
| SHA512 | bdf0c59718015abe9cb40b49cf23fb5b5a153aae8cc9792ea05ad6be95e2775f82f64a08a9377f405f677990f151db67a7c9c659257e3651e97e5118c42be6db |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4GB090Km.exe
| MD5 | ce5724ed62569c79d5828db35e5e620b |
| SHA1 | 12321d5ab64eeee54ea7ef6cbace1607043d8a12 |
| SHA256 | 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9 |
| SHA512 | 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe
| MD5 | c95bb1b9396e1e2204afa090c9912f36 |
| SHA1 | c722e32386bcbbf97436430df37a53185981e1be |
| SHA256 | a7250af480549fea8e7a61235e25ac6168b34a4bc7e0794a328281387bcee065 |
| SHA512 | 4e1a24b2f96ff77d1db096eddd9f5c560d9a3b61b088f3e8692348fbe39720d14cc76bde7ae4104fcd255aed97ae934309f7ea4f96c96a89c859927f3cb71ba5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vp0qI8nC.exe
| MD5 | 23237e2630125121aed197aaf0fc87dd |
| SHA1 | c755798953785a065241df452a349ac5d88a402f |
| SHA256 | 3a2a5abb0ef67bd8a68db1a6a5e9d0aaa037701dbc1465f8d4ada3ffe0c2df75 |
| SHA512 | bdf0c59718015abe9cb40b49cf23fb5b5a153aae8cc9792ea05ad6be95e2775f82f64a08a9377f405f677990f151db67a7c9c659257e3651e97e5118c42be6db |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB9tY4oN.exe
| MD5 | c95bb1b9396e1e2204afa090c9912f36 |
| SHA1 | c722e32386bcbbf97436430df37a53185981e1be |
| SHA256 | a7250af480549fea8e7a61235e25ac6168b34a4bc7e0794a328281387bcee065 |
| SHA512 | 4e1a24b2f96ff77d1db096eddd9f5c560d9a3b61b088f3e8692348fbe39720d14cc76bde7ae4104fcd255aed97ae934309f7ea4f96c96a89c859927f3cb71ba5 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe
| MD5 | 2de754f03fc316370986ead47b72b502 |
| SHA1 | 8f9f4d21909c833d4625deb281db48e568c39d1d |
| SHA256 | 450e2b978b4b1d2dc009c721c0ba2090d3c4c535dcc170c627d98a7d3b47883f |
| SHA512 | 15056da46fcf22168a14d9935f7fc76347bdd63836f0a84b96bd13218675c325f103e1e75bfa8c6ca8e6da7c1c83cc2c991cf5d6262aea9ce10cf45fe34a475d |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1th20qt9.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IU9HJ2Tq.exe
| MD5 | 2de754f03fc316370986ead47b72b502 |
| SHA1 | 8f9f4d21909c833d4625deb281db48e568c39d1d |
| SHA256 | 450e2b978b4b1d2dc009c721c0ba2090d3c4c535dcc170c627d98a7d3b47883f |
| SHA512 | 15056da46fcf22168a14d9935f7fc76347bdd63836f0a84b96bd13218675c325f103e1e75bfa8c6ca8e6da7c1c83cc2c991cf5d6262aea9ce10cf45fe34a475d |
C:\Users\Admin\AppData\Local\Temp\A6EA.exe
| MD5 | 9c28b020233d996a81f1aadc2c99d684 |
| SHA1 | b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c |
| SHA256 | 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5 |
| SHA512 | 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7 |
C:\Users\Admin\AppData\Local\Temp\A6EA.exe
| MD5 | 9c28b020233d996a81f1aadc2c99d684 |
| SHA1 | b60d0dafc9b8b74e3f6e31fe6736a4c067a0683c |
| SHA256 | 36c5906edf1c63b85a2c5e70e070d38446bae1217ec98049351d93c2003608f5 |
| SHA512 | 5743921579d6c4d49fdcbb069e3a84a1be7e30dee20a3906d7eafc6b52297292fc40cb5a6b4f87cb20f18bd5b056da766f41e40aab034ee830f3e489ac313cb7 |
C:\Users\Admin\AppData\Local\Temp\AA18.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\AA18.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
memory/1912-349-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1728-350-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1912-347-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1728-352-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1912-353-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1728-355-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AE11.exe
| MD5 | ce5724ed62569c79d5828db35e5e620b |
| SHA1 | 12321d5ab64eeee54ea7ef6cbace1607043d8a12 |
| SHA256 | 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9 |
| SHA512 | 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2 |
C:\Users\Admin\AppData\Local\Temp\AE11.exe
| MD5 | ce5724ed62569c79d5828db35e5e620b |
| SHA1 | 12321d5ab64eeee54ea7ef6cbace1607043d8a12 |
| SHA256 | 6cc6811c39e7bc94f3cab5599006040a0a55b5d6be3d2d0353582716bda9f7a9 |
| SHA512 | 14902d086f2379b0d6324032fe6146ca1f242123ccccea6136582a577e13bd1701e88f2e897723e67bcbf91add3be15ee215dee6955d36d85505753675256cb2 |
C:\Users\Admin\AppData\Local\Temp\AF69.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\AF69.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/316-363-0x0000000000110000-0x000000000011A000-memory.dmp
memory/316-364-0x00007FF9D8C60000-0x00007FF9D9721000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\AC1A.tmp\AC2A.tmp\AC2B.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/3480-378-0x0000000073A70000-0x0000000074220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe
| MD5 | fbeb83d8ac9e07a6391b6ff726915e09 |
| SHA1 | 30df12929f8c3ae5ed3e2da02a29beaf29593293 |
| SHA256 | 2bdb9a5f5624a3af485897f23de2d5e7c37ceee27fc951cf6c0322a243ce4bbe |
| SHA512 | 563d2dffea3e3f06ad92e894cb1244d0d2b818a43dd537dec50b47542842bf160c522bf6d4317f90968e94cbbf3a83948a7307d08a5d0b4a0759e1f01c1522c6 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VR740tb.exe
| MD5 | fbeb83d8ac9e07a6391b6ff726915e09 |
| SHA1 | 30df12929f8c3ae5ed3e2da02a29beaf29593293 |
| SHA256 | 2bdb9a5f5624a3af485897f23de2d5e7c37ceee27fc951cf6c0322a243ce4bbe |
| SHA512 | 563d2dffea3e3f06ad92e894cb1244d0d2b818a43dd537dec50b47542842bf160c522bf6d4317f90968e94cbbf3a83948a7307d08a5d0b4a0759e1f01c1522c6 |
memory/1728-383-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3480-381-0x0000000007590000-0x00000000075A0000-memory.dmp
memory/4704-386-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/4704-387-0x0000000000200000-0x000000000023E000-memory.dmp
memory/4704-388-0x0000000007190000-0x00000000071A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 589f2c74d6ce9bceaadb06c6e92fc856 |
| SHA1 | e80bdd360d6f695ab685c7d53bc2e392633ebae6 |
| SHA256 | 3c02c9db771e27db42ec03cc6d82481f0b2809bed6c032e021a866bc6f26b7af |
| SHA512 | 88df419a9d77d627e283b1ab10ffc2eec1a010468d74a3533cba8ea19da78b83f9847f1da32c6f585b163bd3dbe83083867a489eabcc5b4aa3455480c8fd8787 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c917.TMP
| MD5 | 5034ea19f66f717ee33a12e814eddc63 |
| SHA1 | 323093aec0b62a7513ac7e319a76b5c43c19d31b |
| SHA256 | 654d20451be44b77fe9b10b54cacf1de80474031650e5b3d7f21c7c2bf232398 |
| SHA512 | 3754ec1ef79a069fb36113af7f694560e50ecc8c71030dbffe75ec6c7ef2f682fcda0c53943486c47ac2596b006499d08c8ace887a99d5ad2cf9653568e4e2d6 |
memory/316-490-0x00007FF9D8C60000-0x00007FF9D9721000-memory.dmp
memory/3480-501-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/316-503-0x00007FF9D8C60000-0x00007FF9D9721000-memory.dmp
memory/3480-504-0x0000000007590000-0x00000000075A0000-memory.dmp
memory/4704-505-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/4704-506-0x0000000007190000-0x00000000071A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 821258b8d22ae7d85fd0504277352964 |
| SHA1 | 1501d1b6c5b24a64dd4fb7c059b7019850edc73a |
| SHA256 | 3887e37a175655b2213f1c8b1933c8f3743547273df7ad624be3ca4dd9609475 |
| SHA512 | 36bd189de2e558e36d585b1fadd1ff230712c7d402832cfdaf690c2055b81bf53c6706cf15984c3afb4f763fe12a8cd4d1f8261a8a43172b9d7124ae41188391 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2cc59bc8ac8b05cbfc43d6a3b1625f88 |
| SHA1 | 31120abe0ca094880a66dd6f003d53ca3bbdfe0e |
| SHA256 | d00dc8a363def313f6c4192be4f2711dd3823a39b919b690bbd583499e47a712 |
| SHA512 | 1b58fd226788ba444a525ee3aa49f7f1ddbbce496f797eb75c398aa6234a78cd1ebf1695dd3293cafe1033c90006a363d9595b057e22fe774299e59d84b77f85 |
memory/6084-536-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/6084-537-0x0000000000B30000-0x0000000001A5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
memory/1804-559-0x0000000073A70000-0x0000000074220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1804-565-0x00000000005A0000-0x0000000000AB6000-memory.dmp
memory/6084-568-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/1804-571-0x00000000053D0000-0x00000000053E0000-memory.dmp
memory/1804-572-0x0000000005620000-0x00000000056BC000-memory.dmp
memory/1804-573-0x0000000005360000-0x0000000005361000-memory.dmp
memory/5356-575-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1244-578-0x00000000023C0000-0x00000000024C0000-memory.dmp
memory/5452-580-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5356-581-0x00000000020C0000-0x000000000211A000-memory.dmp
memory/1244-579-0x0000000002310000-0x0000000002319000-memory.dmp
memory/5452-584-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5092-589-0x0000000004190000-0x0000000004598000-memory.dmp
memory/5092-590-0x00000000046A0000-0x0000000004F8B000-memory.dmp
memory/5356-591-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/5512-592-0x0000000000F30000-0x0000000000F4E000-memory.dmp
memory/1860-594-0x00000000001D0000-0x00000000001EE000-memory.dmp
memory/5092-593-0x0000000000400000-0x000000000266D000-memory.dmp
memory/1860-595-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1804-598-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/5512-600-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/1860-601-0x0000000073A70000-0x0000000074220000-memory.dmp
memory/5356-602-0x0000000000400000-0x000000000046F000-memory.dmp
memory/5512-603-0x0000000005870000-0x0000000005880000-memory.dmp
memory/5452-605-0x0000000000400000-0x0000000000409000-memory.dmp
memory/676-604-0x00000000023C0000-0x00000000023D6000-memory.dmp
memory/1860-609-0x00000000049D0000-0x00000000049E0000-memory.dmp
memory/5092-614-0x0000000000400000-0x000000000266D000-memory.dmp
memory/5320-615-0x00007FF706C00000-0x00007FF7071A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2851a70ca19b16778e94b225dcc27904 |
| SHA1 | cea1968ef75b931ddd6e8af9256dcae12ff74870 |
| SHA256 | 707f9ba4d77ef904b4343d5363dc2587dfe7bd9800c21006aad40d1e986647a0 |
| SHA512 | bd52bc9d20c6d23a889f2625de66299a0ed00052f29ec26a90e05dd24768802338f63205301b8305ca792c20bcd8c242c24ffd9d7580d7cf248214ec3a77fc30 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 61584b4ce26636c20cce4748f0b3ebe8 |
| SHA1 | 4c92db3122013ee98b9ef74d80d4bf898594a65c |
| SHA256 | cd6501470054de747bec19b698ff478be89abc245a7764844e6a926f53e0bd2a |
| SHA512 | d4c379c4d772f7cc7860c03c3356ee3668fa7c636bbe455926908aebfb133b108c31df5579211b36a7c90bf47510d9c92e855c2956a8150a053c99cd1c868faf |
memory/5092-638-0x0000000004190000-0x0000000004598000-memory.dmp
memory/5092-639-0x00000000046A0000-0x0000000004F8B000-memory.dmp
memory/5512-640-0x0000000073A70000-0x0000000074220000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ef766753-938b-4602-a2a8-12855bc1709d.tmp
| MD5 | f119c59ab5b93e73ae39b69f5b8c8658 |
| SHA1 | b1cbdd2fdeef5b7bb03e1e3ae7241fb27441acba |
| SHA256 | 2dfa1c3dfb5ab557db79d5b97fa87a7f69a59ec6d1046633b233154d2a5bc91c |
| SHA512 | 6f1f285c4844a3640f3b221c1edc196cd4bb8c9868fae1d95c5531ca9be02fe148be13c0aa4064f793ae03f8cf6aa73941d84a886708ab3b2adb26f4d9367e43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 98016b359d789dbc7817993933766999 |
| SHA1 | 616fc323bc29b87c281235b738a045c75e32ea6c |
| SHA256 | 1373b412cc42cd0ed852d0b5f78b8242df547f6854107798d2427da790afba88 |
| SHA512 | 96cdf65839633cdbb7aca2d99fce315f881727f94240333a042b0d79a4fe7125ef70ac9a41b36fd89557ea95424a30745a6b5f5f4f1fed54036f3ec8dbb7de47 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4iwu044s.wwj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\tmp70E8.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp710D.tmp
| MD5 | afa13f3defcd7a3454d106cf6abbf911 |
| SHA1 | c5bb2e376d265d252edbcea4252580c7f44ee741 |
| SHA256 | 707fff65d2f00566f96afd5b2a0e1c0460367c4bc008e55b60739f046f46f2f0 |
| SHA512 | 570a13afeaa7452cb43528aff19c09bbc528c6b29f065e847e966bfd2cd8dc3cdc0637935e6f9ebfdde8019e5135ab01a3a18667e0ed8623ef8b3366492a6203 |
C:\Users\Admin\AppData\Local\Temp\tmp7148.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp715D.tmp
| MD5 | 89e12a4710470299e05679908b2b1f7a |
| SHA1 | 85b08579e6cf8518b085ea7709bd67ae6b3e0914 |
| SHA256 | 1b89b37b7f154f7c1c9adba1f8f660fdcb1b0f4a4812207b450fbe5c251e6542 |
| SHA512 | 670609ca82862c03208bc00b927e5f2ca0847572001a5cb6cdb9bb046abbcc0476cdf3b7df83c7e5f592301c4ca85e47ef3a7d32fe45552981d21d9a110794d3 |
C:\Users\Admin\AppData\Local\Temp\tmp716F.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp719A.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |