Analysis Overview
SHA256
09bc171f5333f9d34f9a2f99915ed31613f6ca4c35a10699bfacca8524054b67
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Amadey
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender Real-time Protection settings
SectopRAT payload
SmokeLoader
Healer
Glupteba payload
DcRat
Detects Healer an antivirus disabler dropper
SectopRAT
Glupteba
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Drops file in Drivers directory
Windows security modification
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 23:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 23:05
Reported
2023-10-10 23:08
Platform
win7-20230831-en
Max time kernel
159s
Max time network
135s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
SmokeLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2604 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 300
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
| MD5 | 56561b0f5ca4cf290c75c3001613d3c1 |
| SHA1 | f197b60b93fad8f405e772eba2ee3243482e6502 |
| SHA256 | 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68 |
| SHA512 | ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
| MD5 | 56561b0f5ca4cf290c75c3001613d3c1 |
| SHA1 | f197b60b93fad8f405e772eba2ee3243482e6502 |
| SHA256 | 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68 |
| SHA512 | ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
| MD5 | 56561b0f5ca4cf290c75c3001613d3c1 |
| SHA1 | f197b60b93fad8f405e772eba2ee3243482e6502 |
| SHA256 | 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68 |
| SHA512 | ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
| MD5 | 56561b0f5ca4cf290c75c3001613d3c1 |
| SHA1 | f197b60b93fad8f405e772eba2ee3243482e6502 |
| SHA256 | 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68 |
| SHA512 | ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
| MD5 | 8d23bbf024acc1276c1ec3ea52e773c8 |
| SHA1 | 7c49f18707918fc09d3f3916eab3de18bde06efa |
| SHA256 | c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c |
| SHA512 | b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
| MD5 | 8d23bbf024acc1276c1ec3ea52e773c8 |
| SHA1 | 7c49f18707918fc09d3f3916eab3de18bde06efa |
| SHA256 | c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c |
| SHA512 | b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
| MD5 | 8d23bbf024acc1276c1ec3ea52e773c8 |
| SHA1 | 7c49f18707918fc09d3f3916eab3de18bde06efa |
| SHA256 | c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c |
| SHA512 | b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
| MD5 | 8d23bbf024acc1276c1ec3ea52e773c8 |
| SHA1 | 7c49f18707918fc09d3f3916eab3de18bde06efa |
| SHA256 | c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c |
| SHA512 | b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/2952-30-0x00000000003A0000-0x00000000003BE000-memory.dmp
memory/2952-31-0x00000000004F0000-0x000000000050C000-memory.dmp
memory/2952-32-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-33-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-35-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-37-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-39-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-45-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-51-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-59-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-57-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-55-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-53-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-49-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-47-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-43-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/2952-41-0x00000000004F0000-0x0000000000506000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
memory/2780-66-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2780-67-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2780-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2780-69-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2780-70-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1236-71-0x0000000002B50000-0x0000000002B66000-memory.dmp
memory/2780-72-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 23:05
Reported
2023-10-10 23:08
Platform
win10v2004-20230915-en
Max time kernel
100s
Max time network
151s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5572 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5572 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5572 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5572 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5050.bat | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5719.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A0D5.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4DFC.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5459.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\source1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 592
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 588
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FFAD.tmp\FFAE.tmp\FFAF.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x148,0x174,0x7fff787a46f8,0x7fff787a4708,0x7fff787a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff787a46f8,0x7fff787a4708,0x7fff787a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,3660626174914027425,17000206710627937797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,3660626174914027425,17000206710627937797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\4DFC.exe
C:\Users\Admin\AppData\Local\Temp\4DFC.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
C:\Users\Admin\AppData\Local\Temp\4F74.exe
C:\Users\Admin\AppData\Local\Temp\4F74.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
C:\Users\Admin\AppData\Local\Temp\5050.bat
"C:\Users\Admin\AppData\Local\Temp\5050.bat"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
C:\Users\Admin\AppData\Local\Temp\52E1.exe
C:\Users\Admin\AppData\Local\Temp\52E1.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5157.tmp\5158.tmp\5159.bat C:\Users\Admin\AppData\Local\Temp\5050.bat"
C:\Users\Admin\AppData\Local\Temp\5459.exe
C:\Users\Admin\AppData\Local\Temp\5459.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1332 -ip 1332
C:\Users\Admin\AppData\Local\Temp\5719.exe
C:\Users\Admin\AppData\Local\Temp\5719.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 384
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5156 -ip 5156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5456 -ip 5456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 572
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5220 -ip 5220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 388
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff787a46f8,0x7fff787a4708,0x7fff787a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff787a46f8,0x7fff787a4708,0x7fff787a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11247463955505392451,6441198629495493741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\A0D5.exe
C:\Users\Admin\AppData\Local\Temp\A0D5.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\C43C.exe
C:\Users\Admin\AppData\Local\Temp\C43C.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\C6FD.exe
C:\Users\Admin\AppData\Local\Temp\C6FD.exe
C:\Users\Admin\AppData\Local\Temp\C96F.exe
C:\Users\Admin\AppData\Local\Temp\C96F.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4440 -ip 4440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 792
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 45.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| CZ | 157.240.30.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| CZ | 157.240.30.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | 27.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | tak.soydet.top | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| FI | 95.217.246.182:8443 | tak.soydet.top | tcp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.246.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 162.61.21.104.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 2cbc4e29-9ccb-4ca9-8283-fb82d57c4620.uuid.cdntokiog.studio | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | server5.cdntokiog.studio | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| IN | 172.253.121.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.49:443 | server5.cdntokiog.studio | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 51.68.190.80:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.68.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
| MD5 | 56561b0f5ca4cf290c75c3001613d3c1 |
| SHA1 | f197b60b93fad8f405e772eba2ee3243482e6502 |
| SHA256 | 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68 |
| SHA512 | ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
| MD5 | 56561b0f5ca4cf290c75c3001613d3c1 |
| SHA1 | f197b60b93fad8f405e772eba2ee3243482e6502 |
| SHA256 | 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68 |
| SHA512 | ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
| MD5 | 8d23bbf024acc1276c1ec3ea52e773c8 |
| SHA1 | 7c49f18707918fc09d3f3916eab3de18bde06efa |
| SHA256 | c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c |
| SHA512 | b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
| MD5 | 8d23bbf024acc1276c1ec3ea52e773c8 |
| SHA1 | 7c49f18707918fc09d3f3916eab3de18bde06efa |
| SHA256 | c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c |
| SHA512 | b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/4164-21-0x0000000000950000-0x000000000096E000-memory.dmp
memory/4164-22-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4164-23-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/4164-24-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/4164-25-0x0000000004B70000-0x0000000005114000-memory.dmp
memory/4164-26-0x0000000004AD0000-0x0000000004AEC000-memory.dmp
memory/4164-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-28-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-30-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-32-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-34-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-36-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-38-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-40-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-42-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-44-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-46-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-48-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-50-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-52-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-54-0x0000000004AD0000-0x0000000004AE6000-memory.dmp
memory/4164-55-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4164-56-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/4164-58-0x0000000074650000-0x0000000074E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
| MD5 | cf7780ca38d90bab26c8e971b682017e |
| SHA1 | 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6 |
| SHA256 | 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c |
| SHA512 | f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a |
memory/2672-62-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2672-63-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
| MD5 | 65b1c683fb39708c8966c14dcace52a2 |
| SHA1 | a301da3c1cbb90f0b3e1b36248b2f44407dcc54f |
| SHA256 | 5f396a11078b472ff6d16de1c55d14c1162ea316b590085d980fedfe4ad7be69 |
| SHA512 | 9a07d72ae119cb5569d7a8506a56c7b94ef5cd626b3b000c5745d25e15c93d7198c8f8ad7f7952c369ad6eb2f5e978bc62f230d4f3999cf3884508821c15b5c3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
| MD5 | 65b1c683fb39708c8966c14dcace52a2 |
| SHA1 | a301da3c1cbb90f0b3e1b36248b2f44407dcc54f |
| SHA256 | 5f396a11078b472ff6d16de1c55d14c1162ea316b590085d980fedfe4ad7be69 |
| SHA512 | 9a07d72ae119cb5569d7a8506a56c7b94ef5cd626b3b000c5745d25e15c93d7198c8f8ad7f7952c369ad6eb2f5e978bc62f230d4f3999cf3884508821c15b5c3 |
memory/2020-67-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2020-68-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/2020-69-0x0000000007C90000-0x0000000007D22000-memory.dmp
memory/2020-70-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/2020-71-0x00000000058D0000-0x00000000058DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
| MD5 | 6d7af5e06ae9f0d8c4541523fe8de68e |
| SHA1 | a124dba85a42e681fd0aaa62c7429ebcf963204d |
| SHA256 | ac8f2de061e32fe886300db67d970453bebab3ecf0af7dac93b9d5cb5557d1cd |
| SHA512 | 82cbe18a4fd4100e2fdbc2533b334eb3ba3c78613f113acd08687c98c99d237f5ba98e7ba5aa2f5b8dce99cc5c29ad255945879103cbbe054c7a3cf65b00c426 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
| MD5 | 6d7af5e06ae9f0d8c4541523fe8de68e |
| SHA1 | a124dba85a42e681fd0aaa62c7429ebcf963204d |
| SHA256 | ac8f2de061e32fe886300db67d970453bebab3ecf0af7dac93b9d5cb5557d1cd |
| SHA512 | 82cbe18a4fd4100e2fdbc2533b334eb3ba3c78613f113acd08687c98c99d237f5ba98e7ba5aa2f5b8dce99cc5c29ad255945879103cbbe054c7a3cf65b00c426 |
memory/2020-76-0x0000000008E10000-0x0000000009428000-memory.dmp
memory/2020-77-0x0000000008010000-0x000000000811A000-memory.dmp
memory/2020-78-0x0000000007EC0000-0x0000000007ED2000-memory.dmp
memory/2020-80-0x0000000007F40000-0x0000000007F7C000-memory.dmp
memory/3156-79-0x0000000000A60000-0x0000000000A76000-memory.dmp
memory/2672-82-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2020-84-0x0000000007F80000-0x0000000007FCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFAD.tmp\FFAE.tmp\FFAF.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3478c18dc45d5448e5beefe152c81321 |
| SHA1 | a00c4c477bbd5117dec462cd6d1899ec7a676c07 |
| SHA256 | d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23 |
| SHA512 | 8473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
\??\pipe\LOCAL\crashpad_3652_OHTFTTWNFWNXTUYF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
\??\pipe\LOCAL\crashpad_3968_MKATNMYBHDOPDDFH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 19f9db596c89ae4aa68d95e94e48f8fb |
| SHA1 | e3c05968e8586001cdef0de71d2514d03f1aad0c |
| SHA256 | 608109c5165315a1ab89b5bd9fe8be2a0992d1e7357e40472ca45d76fc2620cd |
| SHA512 | 90ccbe6c1290ee76c180203f92ba07b6e939f5eda6c267eab2239b1f79497ce4f4ce35f52540b72306484ce73fef1175c4c6eba711bec03d8ea2115589751fd6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 906ddf764aecb34fe641b181fb920385 |
| SHA1 | 993baa6eca110a97d6ce99cdc1cddd58050e7b47 |
| SHA256 | d114dc635c01a1bf3bc9558284aefa2cd408bd87a486a4f3e59dee957fc56c8d |
| SHA512 | efe6fbc3acf6164abc693eb335300a4e20c13b9f9ba90f27e9e0c50c652a56da5fb32ea83229fe1577be3f2571d8c6bd779cf563be1f2e35f134ef7021a824bf |
memory/2020-234-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/2020-235-0x00000000058A0000-0x00000000058B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7975349d8b1a173188615a8431f4f9ab |
| SHA1 | 6396b741d2e9fe2715d3ff5d086a46354b450804 |
| SHA256 | a910fd9c9c9682c9a6b7e1a4088c0f7710d206b10eed7ac11c83eb500ea98ff9 |
| SHA512 | 1c07d8147188c4cd1e7e887d3975f26d0cdf8d1bdf5ac6fac65d47eb0eb02dc2dd81b6b6ade6b91ad492eac428f7d44eb8b70bdcbb8851be1559fea4aac0e251 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 19f9db596c89ae4aa68d95e94e48f8fb |
| SHA1 | e3c05968e8586001cdef0de71d2514d03f1aad0c |
| SHA256 | 608109c5165315a1ab89b5bd9fe8be2a0992d1e7357e40472ca45d76fc2620cd |
| SHA512 | 90ccbe6c1290ee76c180203f92ba07b6e939f5eda6c267eab2239b1f79497ce4f4ce35f52540b72306484ce73fef1175c4c6eba711bec03d8ea2115589751fd6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d16c01ca57baff69a80f332423437731 |
| SHA1 | da61b23254072ff8d119ab0e39a106da4cc75758 |
| SHA256 | dab4edaad5313173bd912543cd629ea3be22a0f698e477b6d34f49446c847998 |
| SHA512 | be2c310b2a896e567911b90faa1e8591842505bbf09c1917cde5dd0ffffc2646f10b380737572b426be40b39f179362e4c2fd5167d5d0cf88c16e4610df708a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d555d038867542dfb2fb0575a0d3174e |
| SHA1 | 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0 |
| SHA256 | 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e |
| SHA512 | d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f |
C:\Users\Admin\AppData\Local\Temp\4DFC.exe
| MD5 | 839f8fc33a04de86e8d5994b2aa6aea0 |
| SHA1 | 5cb533c20d178bf038d2da2c61eb95bc26433e7c |
| SHA256 | a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db |
| SHA512 | f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664 |
C:\Users\Admin\AppData\Local\Temp\4DFC.exe
| MD5 | 839f8fc33a04de86e8d5994b2aa6aea0 |
| SHA1 | 5cb533c20d178bf038d2da2c61eb95bc26433e7c |
| SHA256 | a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db |
| SHA512 | f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Wv57eP.exe
| MD5 | 9d4d147233220521442956ab1e41861a |
| SHA1 | b8377797207475fd453286d26f2d2a4bb8d83728 |
| SHA256 | c7df1e7fd95ac9e40120f055fe83ffd55998d2fb5e8406a787a3b0d2b5732e7d |
| SHA512 | becc06ca3397f84171c7cff851ff7c643e730ca00b9097296c2bc88046bc2d76f127d2594a7caed6d98be9588f2010896ec3adb46c13bc3b7be2aaa8529ec5ec |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
| MD5 | e82f10ca30c3674b591ba3761a00ff50 |
| SHA1 | e751249903f3eeaab829b9cb8e8ae4219222cd23 |
| SHA256 | 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9 |
| SHA512 | 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
| MD5 | e82f10ca30c3674b591ba3761a00ff50 |
| SHA1 | e751249903f3eeaab829b9cb8e8ae4219222cd23 |
| SHA256 | 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9 |
| SHA512 | 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3 |
C:\Users\Admin\AppData\Local\Temp\4F74.exe
| MD5 | a3935470ac75a6b353ae690082b55292 |
| SHA1 | 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86 |
| SHA256 | 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32 |
| SHA512 | f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
| MD5 | 49984d4611ca7c02b606d50a958ddd24 |
| SHA1 | 836a4d3d4cd8baab3a823750e4d44e0c58001dd8 |
| SHA256 | 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5 |
| SHA512 | 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed |
C:\Users\Admin\AppData\Local\Temp\4F74.exe
| MD5 | a3935470ac75a6b353ae690082b55292 |
| SHA1 | 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86 |
| SHA256 | 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32 |
| SHA512 | f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
| MD5 | 49984d4611ca7c02b606d50a958ddd24 |
| SHA1 | 836a4d3d4cd8baab3a823750e4d44e0c58001dd8 |
| SHA256 | 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5 |
| SHA512 | 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
| MD5 | 590173d0a05e97556709039366f07fea |
| SHA1 | 4402d6ea0d867c33ae1e852bb357053d01551e02 |
| SHA256 | 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6 |
| SHA512 | b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
| MD5 | 590173d0a05e97556709039366f07fea |
| SHA1 | 4402d6ea0d867c33ae1e852bb357053d01551e02 |
| SHA256 | 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6 |
| SHA512 | b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa |
C:\Users\Admin\AppData\Local\Temp\5050.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
| MD5 | 648ba0e942d7d0193ff347f9c3abd5e8 |
| SHA1 | ef7f4e5743b988a622664b53ed661badfd790c49 |
| SHA256 | 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba |
| SHA512 | e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
| MD5 | 648ba0e942d7d0193ff347f9c3abd5e8 |
| SHA1 | ef7f4e5743b988a622664b53ed661badfd790c49 |
| SHA256 | 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba |
| SHA512 | e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1 |
C:\Users\Admin\AppData\Local\Temp\5050.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
| MD5 | 7bbb81dd416c9095b091a8928f9f417e |
| SHA1 | 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821 |
| SHA256 | 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441 |
| SHA512 | e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
| MD5 | 7bbb81dd416c9095b091a8928f9f417e |
| SHA1 | 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821 |
| SHA256 | 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441 |
| SHA512 | e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee |
C:\Users\Admin\AppData\Local\Temp\52E1.exe
| MD5 | 93990eb50d3989187d96bbb7ee7307d2 |
| SHA1 | 1677aed3760a6348b97aa163134d23b49b7ed298 |
| SHA256 | 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e |
| SHA512 | e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95 |
C:\Users\Admin\AppData\Local\Temp\52E1.exe
| MD5 | 93990eb50d3989187d96bbb7ee7307d2 |
| SHA1 | 1677aed3760a6348b97aa163134d23b49b7ed298 |
| SHA256 | 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e |
| SHA512 | e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95 |
C:\Users\Admin\AppData\Local\Temp\5459.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/5292-335-0x0000000000D50000-0x0000000000D5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5459.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/5340-337-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5340-338-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5340-340-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5292-339-0x00007FFF655F0000-0x00007FFF660B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5719.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5340-336-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5719.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5456-348-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5456-349-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5456-351-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5157.tmp\5158.tmp\5159.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5340-367-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5676-371-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/5676-372-0x00000000073E0000-0x00000000073F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
| MD5 | cded7d5b117a56fe62558b4e745efcb1 |
| SHA1 | f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8 |
| SHA256 | 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb |
| SHA512 | 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
| MD5 | cded7d5b117a56fe62558b4e745efcb1 |
| SHA1 | f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8 |
| SHA256 | 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb |
| SHA512 | 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696 |
memory/5900-376-0x0000000000A00000-0x0000000000A3E000-memory.dmp
memory/5900-377-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/5900-378-0x00000000079A0000-0x00000000079B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
memory/5292-449-0x00007FFF655F0000-0x00007FFF660B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8e09841bccce176c24e00f1df1c799d0 |
| SHA1 | f7c1646055836fca3916df96a139c4390b7e3b0f |
| SHA256 | 9b41737be8bf5d255684386d0301b4e61352da710166d1ca780c7db5ada2f7d3 |
| SHA512 | f79713c9985e872d8d15b3cb99ab69c78dc8603b901eb0bc304b11950fad7d1fb5dc38a907437c56d600ac694e0b5d407678ba742c76c67638512125a63e67ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587a6b.TMP
| MD5 | 8fe20976b8e43f986fd7e7e63de4d891 |
| SHA1 | c2b1ae5024fea38f895468e1f2a98936571cb9be |
| SHA256 | a56f820ed7be6a14aace19c066a1ccd73555721f9b904a26e1c8523a6c0981a3 |
| SHA512 | 079b2bb6c00f2b8648f37111750ca9273fbd816b2c4f812e395946356c3ca49f61bd48a2daa9c250c138404d969ad1e3cc1b1183f319a167e39d4406057f3acc |
memory/5292-506-0x00007FFF655F0000-0x00007FFF660B1000-memory.dmp
memory/5676-520-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/5676-523-0x00000000073E0000-0x00000000073F0000-memory.dmp
memory/5900-524-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/5900-525-0x00000000079A0000-0x00000000079B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 12139554cf681785f92bbc8d9a2f8512 |
| SHA1 | 058c35494cf90c2fc420e307dead845307252795 |
| SHA256 | a9db00873b1864d35210f857cbccb397d5980532ab9d5e931f32e45a493063fa |
| SHA512 | 53c9786cbb2669335f9b2679918fc56697185ee36725b8ddb54ee5d8b1a7bec687a241925bb1d8de360893c77c9f0d6ccac7cf0d39dcfb37b013d47c483dca96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 28e38919e9626d7f8ab74509363a2b3d |
| SHA1 | cbcad250fc894450e2b8d4a6607c60d18881786c |
| SHA256 | 5e250070449d138c48c7659f48fd78bd5252e9a9afec85705f9759f7993f3f35 |
| SHA512 | de011f1b970533736b15b457a292ab859239aed9eca90ba9cbd36d45ac4962388dfc016a1c70622915f7365abdbfd45608a0445786a37ffaab64a8a27677334b |
C:\Users\Admin\AppData\Local\Temp\A0D5.exe
| MD5 | 1f353056dfcf60d0c62d87b84f0a5e3f |
| SHA1 | c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0 |
| SHA256 | f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e |
| SHA512 | 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d |
C:\Users\Admin\AppData\Local\Temp\A0D5.exe
| MD5 | 1f353056dfcf60d0c62d87b84f0a5e3f |
| SHA1 | c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0 |
| SHA256 | f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e |
| SHA512 | 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d |
memory/988-557-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/988-558-0x0000000000FA0000-0x0000000001ECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
memory/2340-581-0x0000000000620000-0x0000000000B36000-memory.dmp
memory/2340-582-0x0000000074330000-0x0000000074AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/988-589-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/2340-590-0x00000000053A0000-0x00000000053B0000-memory.dmp
memory/2340-592-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/2340-591-0x0000000005690000-0x000000000572C000-memory.dmp
memory/5592-594-0x0000000002590000-0x0000000002690000-memory.dmp
memory/5592-595-0x00000000024F0000-0x00000000024F9000-memory.dmp
memory/5808-596-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5808-597-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1108-599-0x00000000041A0000-0x00000000045A3000-memory.dmp
memory/1108-600-0x00000000046B0000-0x0000000004F9B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c96e976d4efe114e2521284c185dc396 |
| SHA1 | 83a1bbd9c9099fdd5aee6f57afa6113f887e667a |
| SHA256 | 3f646de96b5c82b5fb31e9d7e9dd770e0fccf7d0adfd4acb67a871d2105afe99 |
| SHA512 | c06a71187ca3b3a060a396d08c48689e47ee8f7a828e9e30c73519256b33ba7d07382a20718bbe625c390812876449ec0299ae227d14aaa3b0935f40b0fa8394 |
memory/1108-610-0x0000000000400000-0x000000000266D000-memory.dmp
memory/2340-613-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/2340-616-0x00000000053A0000-0x00000000053B0000-memory.dmp
memory/1476-617-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/1476-621-0x0000000002A10000-0x0000000002A46000-memory.dmp
memory/4440-624-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1476-627-0x0000000005170000-0x0000000005798000-memory.dmp
memory/1476-620-0x0000000002A90000-0x0000000002AA0000-memory.dmp
memory/4440-619-0x00000000020E0000-0x000000000213A000-memory.dmp
memory/3936-628-0x00000000001C0000-0x00000000001DE000-memory.dmp
memory/4440-629-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/3936-633-0x0000000000400000-0x0000000000431000-memory.dmp
memory/5968-634-0x0000000000EA0000-0x0000000000EBE000-memory.dmp
memory/1108-635-0x00000000041A0000-0x00000000045A3000-memory.dmp
memory/3156-636-0x0000000007070000-0x0000000007086000-memory.dmp
memory/3936-639-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/1476-640-0x0000000005100000-0x0000000005122000-memory.dmp
memory/5808-637-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5vp3nmf.lt4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e01aacbd33ab4ac19f155e6c68e3f5b4 |
| SHA1 | 77e424b2ba702017b74ce9027db14165820a8b9a |
| SHA256 | 6320b7f9a5c0059926a42256aef0748e231d4543c60c60591d70743efc0f1ef3 |
| SHA512 | 5d9cd7eeda7f5c55bfadb51de84a22446a6dea139c706f8fea5271240112cddaf4d740170659ab43dafad4c07b108591a0984adbc2c86650151fa0e2ad733c9d |
memory/5572-678-0x00007FF689750000-0x00007FF689CF1000-memory.dmp
memory/2340-680-0x0000000005890000-0x00000000058A5000-memory.dmp
memory/2340-681-0x0000000005890000-0x00000000058A5000-memory.dmp
memory/2340-683-0x0000000005890000-0x00000000058A5000-memory.dmp
memory/2340-685-0x0000000005890000-0x00000000058A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFE87.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpFEDB.tmp
| MD5 | 8395952fd7f884ddb74e81045da7a35e |
| SHA1 | f0f7f233824600f49147252374bc4cdfab3594b9 |
| SHA256 | 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58 |
| SHA512 | ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd |
C:\Users\Admin\AppData\Local\Temp\tmpFF2C.tmp
| MD5 | 40c81a7ba8edaca0836248c3c053383c |
| SHA1 | 30c6b4118d2d6bdbc7254f9f7a2134bd0fc18e06 |
| SHA256 | 5b492b2a9c09381884d14e248d40ec65dc3ca7231aeb2b4a0447002d6926751c |
| SHA512 | ba58e221e1407821b225b245a268b317e7b510f19992c2de58b87b031226ebaacac560a92c164a89e7ed5cc1f220fcb841bb286d7ae8d4d22f01b6f41543506e |
C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpFF7C.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpFFB7.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 703453310b82d7c3bf482c47841935b1 |
| SHA1 | 12da638ab0e8c01c126e2ab41696eab4608f33f6 |
| SHA256 | 89a5450d1fa25b335d4aa65ffbf83cb9c47f92465e09dfa661b773532358d472 |
| SHA512 | 8206715240711a713b2977207c08b755da0b419a1857da0daf49cb7c0a72550773877bfb1ae4f31d442a8df9e8e2e37445106ecbcf58adf492f0b6b13e8313ee |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |