Analysis Overview
SHA256
c4ff82eef890fe1422a1fa970b0e55acbebd40fcc936da211cac4fbc7191f56a
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Healer
DcRat
SmokeLoader
Glupteba
Detects Healer an antivirus disabler dropper
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
SectopRAT
RedLine payload
SectopRAT payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Windows security modification
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 23:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 23:13
Reported
2023-10-10 23:15
Platform
win7-20230831-en
Max time kernel
118s
Max time network
130s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1072 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 284
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
| MD5 | fac4493cca3a84ccca13bf71266940c6 |
| SHA1 | 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d |
| SHA256 | 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7 |
| SHA512 | c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
| MD5 | fac4493cca3a84ccca13bf71266940c6 |
| SHA1 | 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d |
| SHA256 | 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7 |
| SHA512 | c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
| MD5 | fac4493cca3a84ccca13bf71266940c6 |
| SHA1 | 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d |
| SHA256 | 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7 |
| SHA512 | c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
| MD5 | fac4493cca3a84ccca13bf71266940c6 |
| SHA1 | 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d |
| SHA256 | 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7 |
| SHA512 | c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
| MD5 | f8e69c9f9cdb5ecf7e184a52bd8d1ac3 |
| SHA1 | cc90ce93768c3820ddc0a9fd4159b0ce361c703a |
| SHA256 | c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35 |
| SHA512 | 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
| MD5 | f8e69c9f9cdb5ecf7e184a52bd8d1ac3 |
| SHA1 | cc90ce93768c3820ddc0a9fd4159b0ce361c703a |
| SHA256 | c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35 |
| SHA512 | 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
| MD5 | f8e69c9f9cdb5ecf7e184a52bd8d1ac3 |
| SHA1 | cc90ce93768c3820ddc0a9fd4159b0ce361c703a |
| SHA256 | c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35 |
| SHA512 | 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
| MD5 | f8e69c9f9cdb5ecf7e184a52bd8d1ac3 |
| SHA1 | cc90ce93768c3820ddc0a9fd4159b0ce361c703a |
| SHA256 | c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35 |
| SHA512 | 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
| MD5 | ec2f1db1ea37f3d8e4cbdf006f9eb4a8 |
| SHA1 | 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c |
| SHA256 | 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad |
| SHA512 | 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
| MD5 | ec2f1db1ea37f3d8e4cbdf006f9eb4a8 |
| SHA1 | 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c |
| SHA256 | 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad |
| SHA512 | 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
| MD5 | ec2f1db1ea37f3d8e4cbdf006f9eb4a8 |
| SHA1 | 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c |
| SHA256 | 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad |
| SHA512 | 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
| MD5 | ec2f1db1ea37f3d8e4cbdf006f9eb4a8 |
| SHA1 | 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c |
| SHA256 | 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad |
| SHA512 | 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/2788-40-0x00000000020B0000-0x00000000020CE000-memory.dmp
memory/2788-41-0x0000000002130000-0x000000000214C000-memory.dmp
memory/2788-42-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-43-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-45-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-47-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-49-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-51-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-53-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-55-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-57-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-59-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-61-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-63-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-65-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-69-0x0000000002130000-0x0000000002146000-memory.dmp
memory/2788-67-0x0000000002130000-0x0000000002146000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
memory/2720-76-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-78-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-82-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-80-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-84-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-86-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-88-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2720-89-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-91-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-93-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-94-0x0000000000400000-0x0000000000433000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
memory/2720-99-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 23:13
Reported
2023-10-10 23:16
Platform
win10v2004-20230915-en
Max time kernel
132s
Max time network
177s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FB26.bat | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4BE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\F623.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 920 set thread context of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3132 set thread context of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1644 set thread context of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4580 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\FA1B.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1156 set thread context of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe | C:\Windows\System32\Conhost.exe |
| PID 5340 set thread context of 5684 | N/A | C:\Users\Admin\AppData\Local\Temp\FE53.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1FE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4200 -ip 4200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 200
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3132 -ip 3132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 600
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 600
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8141.tmp\8142.tmp\8143.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x144,0x178,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17899034150035375710,16723733400759851049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17899034150035375710,16723733400759851049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\F623.exe
C:\Users\Admin\AppData\Local\Temp\F623.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
C:\Users\Admin\AppData\Local\Temp\FA1B.exe
C:\Users\Admin\AppData\Local\Temp\FA1B.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
C:\Users\Admin\AppData\Local\Temp\FB26.bat
"C:\Users\Admin\AppData\Local\Temp\FB26.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 388
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC4D.tmp\FC4E.tmp\FC4F.bat C:\Users\Admin\AppData\Local\Temp\FB26.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1068 -ip 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\FE53.exe
C:\Users\Admin\AppData\Local\Temp\FE53.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1FE.exe
C:\Users\Admin\AppData\Local\Temp\1FE.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5340 -ip 5340
C:\Users\Admin\AppData\Local\Temp\4BE.exe
C:\Users\Admin\AppData\Local\Temp\4BE.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 408
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\3F86.exe
C:\Users\Admin\AppData\Local\Temp\3F86.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\B265.exe
C:\Users\Admin\AppData\Local\Temp\B265.exe
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\B583.exe
C:\Users\Admin\AppData\Local\Temp\B583.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\BA56.exe
C:\Users\Admin\AppData\Local\Temp\BA56.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5460 -ip 5460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 792
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 9.240.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 27.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| CZ | 157.240.30.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| CZ | 157.240.30.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 35.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.209.247.8.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tak.soydet.top | udp |
| FI | 95.217.246.182:8443 | tak.soydet.top | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 8.8.8.8:53 | 182.246.217.95.in-addr.arpa | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
| MD5 | fac4493cca3a84ccca13bf71266940c6 |
| SHA1 | 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d |
| SHA256 | 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7 |
| SHA512 | c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
| MD5 | fac4493cca3a84ccca13bf71266940c6 |
| SHA1 | 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d |
| SHA256 | 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7 |
| SHA512 | c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
| MD5 | f8e69c9f9cdb5ecf7e184a52bd8d1ac3 |
| SHA1 | cc90ce93768c3820ddc0a9fd4159b0ce361c703a |
| SHA256 | c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35 |
| SHA512 | 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
| MD5 | f8e69c9f9cdb5ecf7e184a52bd8d1ac3 |
| SHA1 | cc90ce93768c3820ddc0a9fd4159b0ce361c703a |
| SHA256 | c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35 |
| SHA512 | 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
| MD5 | ec2f1db1ea37f3d8e4cbdf006f9eb4a8 |
| SHA1 | 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c |
| SHA256 | 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad |
| SHA512 | 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
| MD5 | ec2f1db1ea37f3d8e4cbdf006f9eb4a8 |
| SHA1 | 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c |
| SHA256 | 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad |
| SHA512 | 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/4848-28-0x0000000004A10000-0x0000000004A2E000-memory.dmp
memory/4848-29-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4848-30-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4848-31-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4848-32-0x0000000004A80000-0x0000000005024000-memory.dmp
memory/4848-33-0x0000000005090000-0x00000000050AC000-memory.dmp
memory/4848-35-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-34-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-37-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-39-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-41-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-43-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-45-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-47-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-49-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-51-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-53-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-55-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-57-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-59-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-61-0x0000000005090000-0x00000000050A6000-memory.dmp
memory/4848-62-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4848-63-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4848-64-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4848-66-0x0000000074A80000-0x0000000075230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
| MD5 | 371dc8c2029b9ce122c78657683e630f |
| SHA1 | 9ed66f17a1f57acce46bc691696f4029969307bd |
| SHA256 | 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb |
| SHA512 | 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2 |
memory/4200-70-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4200-71-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4200-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4200-74-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
| MD5 | 12460906a7c3f7a8746a4fc8093cc317 |
| SHA1 | 6a4707caa81c1f4d013dfccc841b80e36b6a0456 |
| SHA256 | 64e4a89f517ea9eb63afd5fff5606789f40c3f92b785fe6badc952088562d6aa |
| SHA512 | ea0b3b5ac072eddba97680dbc13a63f2380e5a534e97a3417182f2ba347558396d8447126c325d418a81e0dec7376daf58f03f2b740cb543aece21884cd54324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
| MD5 | 12460906a7c3f7a8746a4fc8093cc317 |
| SHA1 | 6a4707caa81c1f4d013dfccc841b80e36b6a0456 |
| SHA256 | 64e4a89f517ea9eb63afd5fff5606789f40c3f92b785fe6badc952088562d6aa |
| SHA512 | ea0b3b5ac072eddba97680dbc13a63f2380e5a534e97a3417182f2ba347558396d8447126c325d418a81e0dec7376daf58f03f2b740cb543aece21884cd54324 |
memory/2580-78-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2580-79-0x0000000000400000-0x0000000000409000-memory.dmp
memory/764-80-0x0000000002A00000-0x0000000002A16000-memory.dmp
memory/2580-81-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
| MD5 | 2b263a74414c8f43334f2892fa32d483 |
| SHA1 | f15321e32d5ed26a02ef940ef57fb917865630eb |
| SHA256 | 3306f2704bb1870c669656380ad353de5e4e2a7971e411ee8f4ef78819aa499a |
| SHA512 | 51ff275a8053ba631032f6f9c1a987224154d5ce2df8950b1c072a4f2cbd2be60b058833935d9eb5a6073537ddd9d28f2d6f26ada52ee2305b9e7f9ddde2f989 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
| MD5 | 2b263a74414c8f43334f2892fa32d483 |
| SHA1 | f15321e32d5ed26a02ef940ef57fb917865630eb |
| SHA256 | 3306f2704bb1870c669656380ad353de5e4e2a7971e411ee8f4ef78819aa499a |
| SHA512 | 51ff275a8053ba631032f6f9c1a987224154d5ce2df8950b1c072a4f2cbd2be60b058833935d9eb5a6073537ddd9d28f2d6f26ada52ee2305b9e7f9ddde2f989 |
memory/1092-87-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1092-88-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/1092-89-0x00000000072E0000-0x0000000007372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
| MD5 | 9ffab6d848973016931d67e94f6b3f9e |
| SHA1 | cbb64af817ff95237c107f4e8838b642effb0e36 |
| SHA256 | 2f0f943047f9feb2f979de6582cf6e778427d10dd1fcc70f04ce0cdbd1ccbfb6 |
| SHA512 | 5c0d3165bedf54b3e8d2396a8bd5be960f6f596d5b74b6fd3f8e63dace38fcf13edbd127fab7913ba9f887e9064c3aeaae9afd4b1de7ab7dd4a0488d9faf40ed |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
| MD5 | 9ffab6d848973016931d67e94f6b3f9e |
| SHA1 | cbb64af817ff95237c107f4e8838b642effb0e36 |
| SHA256 | 2f0f943047f9feb2f979de6582cf6e778427d10dd1fcc70f04ce0cdbd1ccbfb6 |
| SHA512 | 5c0d3165bedf54b3e8d2396a8bd5be960f6f596d5b74b6fd3f8e63dace38fcf13edbd127fab7913ba9f887e9064c3aeaae9afd4b1de7ab7dd4a0488d9faf40ed |
memory/1092-94-0x00000000074E0000-0x00000000074F0000-memory.dmp
memory/1092-95-0x0000000007290000-0x000000000729A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8141.tmp\8142.tmp\8143.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
memory/1092-97-0x00000000083C0000-0x00000000089D8000-memory.dmp
memory/1092-98-0x00000000076C0000-0x00000000077CA000-memory.dmp
memory/1092-99-0x0000000007510000-0x0000000007522000-memory.dmp
memory/1092-100-0x0000000007570000-0x00000000075AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 45fe8440c5d976b902cfc89fb780a578 |
| SHA1 | 5696962f2d0e89d4c561acd58483b0a4ffeab800 |
| SHA256 | f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96 |
| SHA512 | efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25 |
memory/1092-104-0x00000000075B0000-0x00000000075FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
\??\pipe\LOCAL\crashpad_3584_VZWUANNIMDNKIKMG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_1992_TWZUAZPQQZDBOKIC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b3f1da79c774aabc7377db42668d05fd |
| SHA1 | 4ae51e0aa411286ba8915cf6abd832abba96f5ab |
| SHA256 | d09bd5e4e3e2029bda46b5d830e844211a63db7afad583c01b1c62b39a84a817 |
| SHA512 | ae67ff8586ccb159406298e014c48f2e54dfb06a309ef5c7b5994e9052cf29ddb0f761a743919876f46a5fda89a1c4c1c0a01ee71caae4735518a206298b935a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bd4e16ab174921fa494f6c886a38d170 |
| SHA1 | e08a0f8dd542682f2753a1205b405c0dd0b59d88 |
| SHA256 | 7e971c17b4368cc0db985f72d51b1ed94d3feb4b704575ec5db3157bb204cb85 |
| SHA512 | caf3bc62e4feece1142110b0b296a3e8cc92c9a23b3c1ed9d6aa1df3d187396e220da8d28df878c256a38ab849fd3d2c0983484cfb1754549d1f9a871461b50e |
memory/1092-245-0x0000000074760000-0x0000000074F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b3f1da79c774aabc7377db42668d05fd |
| SHA1 | 4ae51e0aa411286ba8915cf6abd832abba96f5ab |
| SHA256 | d09bd5e4e3e2029bda46b5d830e844211a63db7afad583c01b1c62b39a84a817 |
| SHA512 | ae67ff8586ccb159406298e014c48f2e54dfb06a309ef5c7b5994e9052cf29ddb0f761a743919876f46a5fda89a1c4c1c0a01ee71caae4735518a206298b935a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b31cf1ff8bf63192973c7d1325e18ed7 |
| SHA1 | 4a748cd4489860b0bfd25eccde79abaff761c5c8 |
| SHA256 | 964dd9964678d5b0d3656f7b9a5a5dcf6565bcaa049fed56d787cfee1e04a180 |
| SHA512 | 434301054cf0b25b71663aca7c944220624478f5da6f5711f06c96b3c8d02b02775710dd7a62f94b80c54684c31a8c6ab1a6acf59fda0a7c9c12eadffa6e8f9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e72f482f672bb256479df48a99999bb1 |
| SHA1 | a8b26d2c09bc59dcfba6da5a07feadf413baf3c7 |
| SHA256 | acdcdb2c743ac2f6a0f97f90cdba68d6436c7c998a6d6971568949307e723c82 |
| SHA512 | 267976ad130a86d3cecef9f7879d708e38a60e2c8416841df5fbb2ff1199b2341961fdb152ffd1b40a141a43e4f3d2565f657721c78b8dc22615c610410812dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 25ac77f8c7c7b76b93c8346e41b89a95 |
| SHA1 | 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a |
| SHA256 | 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b |
| SHA512 | df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | beaa0ca71907409713589bad56f43194 |
| SHA1 | ed92e405cb2c14e06a45b68abdd795d425d998d5 |
| SHA256 | 2fd96e1a713a2724a17d8b7998e42f2c133774a2222ed71ad9996688871b0b58 |
| SHA512 | b47757c7548f51210226d08b12e5f8cb0afc2da962caec27d556ea83b0c37498bb4775ecbe843290d347f883013764007ca84c5dd0d283be39125d2c723a7f37 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\F623.exe
| MD5 | 839f8fc33a04de86e8d5994b2aa6aea0 |
| SHA1 | 5cb533c20d178bf038d2da2c61eb95bc26433e7c |
| SHA256 | a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db |
| SHA512 | f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664 |
C:\Users\Admin\AppData\Local\Temp\F623.exe
| MD5 | 839f8fc33a04de86e8d5994b2aa6aea0 |
| SHA1 | 5cb533c20d178bf038d2da2c61eb95bc26433e7c |
| SHA256 | a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db |
| SHA512 | f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Wv57eP.exe
| MD5 | 9d4d147233220521442956ab1e41861a |
| SHA1 | b8377797207475fd453286d26f2d2a4bb8d83728 |
| SHA256 | c7df1e7fd95ac9e40120f055fe83ffd55998d2fb5e8406a787a3b0d2b5732e7d |
| SHA512 | becc06ca3397f84171c7cff851ff7c643e730ca00b9097296c2bc88046bc2d76f127d2594a7caed6d98be9588f2010896ec3adb46c13bc3b7be2aaa8529ec5ec |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
| MD5 | e82f10ca30c3674b591ba3761a00ff50 |
| SHA1 | e751249903f3eeaab829b9cb8e8ae4219222cd23 |
| SHA256 | 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9 |
| SHA512 | 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
| MD5 | e82f10ca30c3674b591ba3761a00ff50 |
| SHA1 | e751249903f3eeaab829b9cb8e8ae4219222cd23 |
| SHA256 | 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9 |
| SHA512 | 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
| MD5 | 49984d4611ca7c02b606d50a958ddd24 |
| SHA1 | 836a4d3d4cd8baab3a823750e4d44e0c58001dd8 |
| SHA256 | 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5 |
| SHA512 | 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe
| MD5 | 49984d4611ca7c02b606d50a958ddd24 |
| SHA1 | 836a4d3d4cd8baab3a823750e4d44e0c58001dd8 |
| SHA256 | 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5 |
| SHA512 | 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed |
C:\Users\Admin\AppData\Local\Temp\FA1B.exe
| MD5 | a3935470ac75a6b353ae690082b55292 |
| SHA1 | 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86 |
| SHA256 | 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32 |
| SHA512 | f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde |
C:\Users\Admin\AppData\Local\Temp\FA1B.exe
| MD5 | a3935470ac75a6b353ae690082b55292 |
| SHA1 | 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86 |
| SHA256 | 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32 |
| SHA512 | f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
| MD5 | 590173d0a05e97556709039366f07fea |
| SHA1 | 4402d6ea0d867c33ae1e852bb357053d01551e02 |
| SHA256 | 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6 |
| SHA512 | b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe
| MD5 | 590173d0a05e97556709039366f07fea |
| SHA1 | 4402d6ea0d867c33ae1e852bb357053d01551e02 |
| SHA256 | 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6 |
| SHA512 | b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
| MD5 | 648ba0e942d7d0193ff347f9c3abd5e8 |
| SHA1 | ef7f4e5743b988a622664b53ed661badfd790c49 |
| SHA256 | 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba |
| SHA512 | e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe
| MD5 | 648ba0e942d7d0193ff347f9c3abd5e8 |
| SHA1 | ef7f4e5743b988a622664b53ed661badfd790c49 |
| SHA256 | 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba |
| SHA512 | e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
| MD5 | 7bbb81dd416c9095b091a8928f9f417e |
| SHA1 | 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821 |
| SHA256 | 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441 |
| SHA512 | e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe
| MD5 | 7bbb81dd416c9095b091a8928f9f417e |
| SHA1 | 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821 |
| SHA256 | 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441 |
| SHA512 | e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee |
C:\Users\Admin\AppData\Local\Temp\FB26.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\FB26.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
memory/4848-353-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4848-354-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4848-355-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC4D.tmp\FC4E.tmp\FC4F.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
memory/1068-358-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1068-359-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1068-362-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Temp\FE53.exe
| MD5 | 93990eb50d3989187d96bbb7ee7307d2 |
| SHA1 | 1677aed3760a6348b97aa163134d23b49b7ed298 |
| SHA256 | 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e |
| SHA512 | e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95 |
C:\Users\Admin\AppData\Local\Temp\FE53.exe
| MD5 | 93990eb50d3989187d96bbb7ee7307d2 |
| SHA1 | 1677aed3760a6348b97aa163134d23b49b7ed298 |
| SHA256 | 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e |
| SHA512 | e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Temp\1FE.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\1FE.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/5560-379-0x0000000000A30000-0x0000000000A3A000-memory.dmp
memory/4848-378-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
| MD5 | cded7d5b117a56fe62558b4e745efcb1 |
| SHA1 | f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8 |
| SHA256 | 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb |
| SHA512 | 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe
| MD5 | cded7d5b117a56fe62558b4e745efcb1 |
| SHA1 | f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8 |
| SHA256 | 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb |
| SHA512 | 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696 |
memory/5632-384-0x00000000007F0000-0x000000000082E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4BE.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5560-481-0x00007FFA95FB0000-0x00007FFA96A71000-memory.dmp
memory/5632-482-0x0000000007850000-0x0000000007860000-memory.dmp
memory/5684-483-0x0000000007970000-0x0000000007980000-memory.dmp
memory/5632-484-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/5684-485-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/5560-509-0x00007FFA95FB0000-0x00007FFA96A71000-memory.dmp
memory/5632-510-0x0000000007850000-0x0000000007860000-memory.dmp
memory/5684-511-0x0000000007970000-0x0000000007980000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 082f641a21e6b42f4664b71c7261fcc0 |
| SHA1 | ddf5f7fd2608e0b78f107e1d85264c372269e9ac |
| SHA256 | 9ea93e584942140eeb17d411c101c864c70989963dd6254fc8b90ef29a5b4eac |
| SHA512 | 97411c65cc33ca79adce3fd0acbdad3bf0b2837a2b4e8f756598965bdb921234b1f19ad7f03163196af948dd5c39719481f2460f4e089172a5330935b9fbca09 |
memory/5560-545-0x00007FFA95FB0000-0x00007FFA96A71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a6f4.TMP
| MD5 | aafc97fc8853041734760269d95a63c2 |
| SHA1 | 138b084c9f5f654cace3ad551aa6c4a03b27b75c |
| SHA256 | c267efd77fa4af8c00c4a3f94b86024a07b3ae8587192c893188cca43c3986f2 |
| SHA512 | e5fea0d115fe8ccf6009d33ae61bad541ce172767ec5ecddb04f3d1f2ae493ac60b5213e1fcef5019f6a061062ceff9acd5641e98171ea7c33e15e4922ea7959 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 80425d045881e9f920f540ca1d0cf22c |
| SHA1 | 6c98c416637eef316b3180e1dba1abd0967bb743 |
| SHA256 | b8d3378b7af46ed3f22664dba5ec836e1e008367c72c7aa7b0fbbaba08d1a148 |
| SHA512 | d217fa2d6c994a83aceb52e84aa7c323c5c73e39c58251faf7aa927dae4e7b72640e503ea6fe8ca2c1323638643ec189218ce419874c4d7620629da5c69a9de9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4d49938cfb41f6b23c9c0ab3ee211bc0 |
| SHA1 | 8f1f1be59734f8279b596a024fab8fca0b5290e5 |
| SHA256 | 07982de27ad2af276b22758c996e8cb4e5bc174919b47135dea91a6e721f6350 |
| SHA512 | dd22d5c328dc5afe86c2310a4b60e421cef1f98983f5d79d8469f470e8f899f95fcc0155b0146b3686de33cb5ebe1311e3e6f8b7f472b1e66f3666c951edd117 |
memory/2632-562-0x0000000074760000-0x0000000074F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | fca118b10b39c6a5ccbd41836c9fdc1a |
| SHA1 | 396a69e6f501b7ceff45ddb1d365e0bf00f73720 |
| SHA256 | 5476997817a32ab11036754ce4be6630b1cb4e5be9c46906c0a328c54e9a4b6d |
| SHA512 | 8752e7fb86a705b9aee8fd83d5f156c18563a8cd68c1d66c2f23c9ddba4f9954ffb79d24d8f3aefd7f087679107a92aa113e8f88823fbefb2e3e2f3ff8190a41 |
memory/2632-563-0x0000000000020000-0x0000000000F4A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4f98340714e49653a52ce9087c963d49 |
| SHA1 | 970f5b869e0ce3de612f60255c54ee58fb939baa |
| SHA256 | 728a70daa9c6bcf6f5570dbbc21f3b82af91d424c2f76a1c3b515b5edb473bba |
| SHA512 | e12fbc7963d2f9856f5a2d4b454195cd3fddfd9063a7b31a02a7acda79a5e2da2f1811bc518af283f2973fcbf295c08cb370c65e0fcc130eea710c6a40ec9033 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
memory/2204-601-0x0000000074760000-0x0000000074F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2204-602-0x0000000000D70000-0x0000000001286000-memory.dmp
memory/2632-608-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/3144-610-0x00000000023A0000-0x00000000023A9000-memory.dmp
memory/2204-612-0x0000000005CD0000-0x0000000005CE0000-memory.dmp
memory/2204-615-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/2204-614-0x0000000005DE0000-0x0000000005E7C000-memory.dmp
memory/4112-613-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4112-611-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3144-609-0x0000000002590000-0x0000000002690000-memory.dmp
memory/5460-617-0x0000000000400000-0x000000000046F000-memory.dmp
memory/5460-619-0x0000000000700000-0x000000000075A000-memory.dmp
memory/1480-624-0x00000000001C0000-0x00000000001DE000-memory.dmp
memory/1684-627-0x00000000007D0000-0x00000000007EE000-memory.dmp
memory/1480-625-0x0000000000400000-0x0000000000431000-memory.dmp
memory/5460-629-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/1684-631-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/1480-632-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/5232-633-0x0000000004720000-0x000000000500B000-memory.dmp
memory/5232-635-0x0000000000400000-0x000000000266D000-memory.dmp
memory/5232-636-0x0000000004220000-0x0000000004620000-memory.dmp
memory/1684-637-0x0000000005040000-0x0000000005050000-memory.dmp
memory/1480-638-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/2204-641-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/764-642-0x0000000002AB0000-0x0000000002AC6000-memory.dmp
memory/4112-643-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2204-646-0x0000000005CD0000-0x0000000005CE0000-memory.dmp
memory/5232-648-0x0000000000400000-0x000000000266D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 226a644e62f4322853a1b1457b733e57 |
| SHA1 | c40d63b9771f309354c41f60b00cee390625f8f6 |
| SHA256 | 4997db8ff7d74fcdf70d8ff577d719877d324718bc32d2f944f46d489c18e4f3 |
| SHA512 | 8d58992f6fe1919d1830db2e00812b5ac6bdf518fc30b17c6cf9e73329a5530e28755d66b7e3dd421a7f77d79ff68896b7129f156e8711b2311b52b15996a44a |
memory/2204-670-0x0000000005FE0000-0x0000000005FFC000-memory.dmp
memory/4744-669-0x00007FF7BE410000-0x00007FF7BE9B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
memory/5460-676-0x0000000000400000-0x000000000046F000-memory.dmp
memory/5460-677-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/5232-678-0x0000000000400000-0x000000000266D000-memory.dmp
memory/1684-681-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/5232-682-0x0000000004720000-0x000000000500B000-memory.dmp