Analysis Overview
SHA256
ac9fcf3216053bfe19fd248a87d53f7e84ccb8534a5b72f01f6b2312437ffa05
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Mystic
Detected google phishing page
DcRat
RedLine payload
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
RedLine
Glupteba payload
Healer
Detect Mystic stealer payload
SectopRAT
Detects Healer an antivirus disabler dropper
Glupteba
Amadey
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Drops file in Drivers directory
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Windows security modification
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:29
Reported
2023-10-10 20:41
Platform
win7-20230831-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detected google phishing page
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 524 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 524 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 524 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 524 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\E59E.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2432 set thread context of 680 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 2688 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\source1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231010204038.cab | C:\Windows\system32\makecab.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000e0b59699e9cf882f30ddea28208df63861573c934019c8c5a2e297363ae2c0ff000000000e80000000020000200000004648f8b28468779c996580df9b81b5e7b01afc91e6d6bc9d7463d6b0f96bc6129000000034cb1860d7e09be4717979d3479b8f92978dd69a2c8df0fccdbf82b82774f1ec274a8756e6f4e3feb003735f79575193d9f6f36d788f614411fff3e4a8915cfba2cccd85be95aed0ce5113127cb6b1c4fa996956d7b33ff062852ae17229864fbcb661431d710afa1786653ca7a76b69fcfbad23d9b21e1e5c4cb0dfa315b494f2057c385fd7f08a0dac5f12b2884f67400000000f1b67dbbb549ed5b1be625f0a264a8b6ff794fd8bbea6be313904e126105b19a46e72411a73e18a2a958623e0c6b592b05485af0d5bfee93d4f2505880ed80a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c46f17bafbd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31078E71-67AD-11EE-8DA3-C6004B6B9118} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403735400" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000006862e53ff0c4263721a3ab079c6c238bdf250d23779f08335ba8739e58f886dd000000000e8000000002000020000000836cdf7a7b36f4eb37643a4e4ceeebdfa93759ed6cf3e9d86b558e5be973be07200000005d8b0049eda457e283d76d40957d9a92a3cd75bdc741fdf5993b9bf854540f8b40000000ccf9e45811fee1b9ede24644c78ef99fd604a49488c3fccd8eb681b3afc4485255c9e2ef79af2a6ec313dae0a983387e8db0d804df1a152831c098ccbbf97228 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EE59.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\source1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6E27.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 36
C:\Users\Admin\AppData\Local\Temp\E59E.exe
C:\Users\Admin\AppData\Local\Temp\E59E.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
C:\Users\Admin\AppData\Local\Temp\E7D1.exe
C:\Users\Admin\AppData\Local\Temp\E7D1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 132
C:\Users\Admin\AppData\Local\Temp\E8EA.bat
"C:\Users\Admin\AppData\Local\Temp\E8EA.bat"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\EB59.tmp\EB89.bat C:\Users\Admin\AppData\Local\Temp\E8EA.bat"
C:\Users\Admin\AppData\Local\Temp\ED3F.exe
C:\Users\Admin\AppData\Local\Temp\ED3F.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
C:\Users\Admin\AppData\Local\Temp\EE59.exe
C:\Users\Admin\AppData\Local\Temp\EE59.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 132
C:\Users\Admin\AppData\Local\Temp\F211.exe
C:\Users\Admin\AppData\Local\Temp\F211.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\1F1B.exe
C:\Users\Admin\AppData\Local\Temp\1F1B.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\6417.exe
C:\Users\Admin\AppData\Local\Temp\6417.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 528
C:\Users\Admin\AppData\Local\Temp\69A4.exe
C:\Users\Admin\AppData\Local\Temp\69A4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 508
C:\Users\Admin\AppData\Local\Temp\6E27.exe
C:\Users\Admin\AppData\Local\Temp\6E27.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010204038.log C:\Windows\Logs\CBS\CbsPersist_20231010204038.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\taskeng.exe
taskeng.exe {F36109E5-1799-4187-A6F2-53B2EF5E30F3} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 7738da3e-8222-4d71-8e23-2ed07f8f1639.uuid.cdntokiog.studio | udp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
| US | 172.67.212.39:80 | bytecloudasa.website | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
| MD5 | 9c5f6b6f7d55921ce52c8145e9d0a3b6 |
| SHA1 | ec1bb8da4c4b833616dcd9175247ab2c4290bb31 |
| SHA256 | a477c7e234f8d3318fc741bd31e738d1c90ef335b88aeed9dd18b8769ff69659 |
| SHA512 | 37161767ede7f531e4d7be978e2af48a68267f13d2acde819e63df9a34e02bba18b5e02069912758d1b5b932cb29dd8c617efc4ede74ee00f495b475a3c29d6b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
| MD5 | 9c5f6b6f7d55921ce52c8145e9d0a3b6 |
| SHA1 | ec1bb8da4c4b833616dcd9175247ab2c4290bb31 |
| SHA256 | a477c7e234f8d3318fc741bd31e738d1c90ef335b88aeed9dd18b8769ff69659 |
| SHA512 | 37161767ede7f531e4d7be978e2af48a68267f13d2acde819e63df9a34e02bba18b5e02069912758d1b5b932cb29dd8c617efc4ede74ee00f495b475a3c29d6b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
| MD5 | 9c5f6b6f7d55921ce52c8145e9d0a3b6 |
| SHA1 | ec1bb8da4c4b833616dcd9175247ab2c4290bb31 |
| SHA256 | a477c7e234f8d3318fc741bd31e738d1c90ef335b88aeed9dd18b8769ff69659 |
| SHA512 | 37161767ede7f531e4d7be978e2af48a68267f13d2acde819e63df9a34e02bba18b5e02069912758d1b5b932cb29dd8c617efc4ede74ee00f495b475a3c29d6b |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
| MD5 | 9c5f6b6f7d55921ce52c8145e9d0a3b6 |
| SHA1 | ec1bb8da4c4b833616dcd9175247ab2c4290bb31 |
| SHA256 | a477c7e234f8d3318fc741bd31e738d1c90ef335b88aeed9dd18b8769ff69659 |
| SHA512 | 37161767ede7f531e4d7be978e2af48a68267f13d2acde819e63df9a34e02bba18b5e02069912758d1b5b932cb29dd8c617efc4ede74ee00f495b475a3c29d6b |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
memory/2736-23-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2736-24-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2736-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2736-26-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2736-27-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
memory/1268-32-0x0000000002B90000-0x0000000002BA6000-memory.dmp
memory/2736-35-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E59E.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
\Users\Admin\AppData\Local\Temp\E59E.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
C:\Users\Admin\AppData\Local\Temp\E59E.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
C:\Users\Admin\AppData\Local\Temp\E7D1.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
\Users\Admin\AppData\Local\Temp\E7D1.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
\Users\Admin\AppData\Local\Temp\E7D1.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
C:\Users\Admin\AppData\Local\Temp\E8EA.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\E8EA.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
\Users\Admin\AppData\Local\Temp\E7D1.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
\Users\Admin\AppData\Local\Temp\E7D1.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Temp\ED3F.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\EB59.tmp\EB89.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Temp\EE59.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\EE59.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\F211.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\F211.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
\Users\Admin\AppData\Local\Temp\ED3F.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
\Users\Admin\AppData\Local\Temp\ED3F.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
\Users\Admin\AppData\Local\Temp\ED3F.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
\Users\Admin\AppData\Local\Temp\ED3F.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/588-167-0x0000000000130000-0x000000000013A000-memory.dmp
memory/588-168-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp
memory/588-202-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1F1B.exe
| MD5 | 1f353056dfcf60d0c62d87b84f0a5e3f |
| SHA1 | c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0 |
| SHA256 | f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e |
| SHA512 | 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d |
C:\Users\Admin\AppData\Local\Temp\1F1B.exe
| MD5 | 1f353056dfcf60d0c62d87b84f0a5e3f |
| SHA1 | c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0 |
| SHA256 | f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e |
| SHA512 | 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d |
memory/1592-214-0x0000000000CA0000-0x0000000001BCA000-memory.dmp
memory/1592-217-0x0000000070F50000-0x000000007163E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
memory/2688-242-0x0000000000D50000-0x0000000001266000-memory.dmp
memory/2688-241-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/2432-246-0x0000000002420000-0x0000000002520000-memory.dmp
memory/2432-247-0x0000000000230000-0x0000000000239000-memory.dmp
memory/1592-250-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/680-249-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/680-254-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2520-253-0x0000000003FA0000-0x0000000004398000-memory.dmp
memory/680-252-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2520-255-0x0000000003FA0000-0x0000000004398000-memory.dmp
memory/2520-256-0x00000000043A0000-0x0000000004C8B000-memory.dmp
memory/2520-280-0x0000000000400000-0x000000000266D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8BT23REO\favicon[2].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
memory/588-287-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp
memory/2688-288-0x0000000000D10000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab63A4.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar63B7.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\Temp\6417.exe
| MD5 | 21b738f4b6e53e6d210996fa6ba6cc69 |
| SHA1 | 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41 |
| SHA256 | 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58 |
| SHA512 | f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81 |
memory/2400-309-0x0000000000320000-0x000000000037A000-memory.dmp
memory/2688-308-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/2688-311-0x0000000000340000-0x0000000000341000-memory.dmp
memory/2400-313-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2400-315-0x0000000070F50000-0x000000007163E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69A4.exe
| MD5 | 109da216e61cf349221bd2455d2170d4 |
| SHA1 | ea6983b8581b8bb57e47c8492783256313c19480 |
| SHA256 | a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400 |
| SHA512 | 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26 |
memory/1268-420-0x0000000002B00000-0x0000000002B16000-memory.dmp
memory/1648-422-0x0000000000020000-0x000000000003E000-memory.dmp
memory/680-421-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1648-437-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2520-438-0x0000000003FA0000-0x0000000004398000-memory.dmp
memory/1648-439-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/1976-471-0x00000000008D0000-0x00000000008EE000-memory.dmp
memory/1976-472-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/1976-492-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2520-482-0x00000000043A0000-0x0000000004C8B000-memory.dmp
memory/2520-493-0x0000000000400000-0x000000000266D000-memory.dmp
memory/2520-494-0x0000000000400000-0x000000000266D000-memory.dmp
memory/524-495-0x000000013FAF0000-0x0000000140091000-memory.dmp
memory/2688-496-0x0000000000D10000-0x0000000000D50000-memory.dmp
memory/2400-497-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/2520-498-0x0000000000400000-0x000000000266D000-memory.dmp
memory/868-499-0x00000000041C0000-0x00000000045B8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ea3a00df8ad8a8400085912b1672258 |
| SHA1 | dff349624bdfe660ec7d14df6646423faef322d8 |
| SHA256 | 02f75f738e8b5e94f56146b6a5edb68f12602526787a860d5c4bc4e86f337c33 |
| SHA512 | b8e99c4cda76ad47987c74cc2eeb1580c99677ffdf87b6ec98e700b14f41a45bd6e1fd6bb6bdb7a16e812990aff3b09face39d94376015e366b12e2c62699374 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 56dfaddfc07904c272540cf0a5e02c3a |
| SHA1 | 2a7e13c8312f4906caeb5be5d77b8069713dee42 |
| SHA256 | 8234e9381e8b845f4301d327d0f3a66555bd906df557cd5c6284cb3de4c83eb0 |
| SHA512 | db5106ca41806a4b14ae4236b775f536343cca5eb1e5e7304908a37697d267eb3f3955cb74a827551ff512d6dc9977a022fe42bd1927942862c2fb201ec80664 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/868-649-0x00000000041C0000-0x00000000045B8000-memory.dmp
memory/868-650-0x0000000000400000-0x000000000266D000-memory.dmp
memory/1976-651-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/1976-652-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2688-687-0x0000000000700000-0x000000000071C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB8FD.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpB932.tmp
| MD5 | f53b7e590a4c6068513b2b42ceaf6292 |
| SHA1 | 7d48901a22cd17519884cef703088b16eb8ab04f |
| SHA256 | 1ba7ecb5cecec10e4cc16b2e5668ba5ea4f52307f5543aba78e83de61e9fb3bf |
| SHA512 | db510c474e4736ae8d23ee020bc029966f8ff2a9146dfc6a79604b05c4d95a4ce7a3d91a26c7d056e925012d62f459744db1d6df91e65c3da77ef6a1ab0ee231 |
memory/2688-713-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-714-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-727-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-753-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-755-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-758-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-760-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-762-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-764-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-766-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-768-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-770-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-772-0x0000000000700000-0x0000000000715000-memory.dmp
memory/2688-773-0x0000000000780000-0x0000000000781000-memory.dmp
memory/2920-780-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2920-779-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
memory/2920-788-0x0000000000400000-0x000000000047F000-memory.dmp
memory/868-778-0x0000000000400000-0x000000000266D000-memory.dmp
memory/2920-782-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2920-789-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2920-781-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2920-792-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/2920-799-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2920-801-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2724-802-0x00000000040B0000-0x00000000044A8000-memory.dmp
memory/2724-811-0x0000000000400000-0x000000000266D000-memory.dmp
memory/2772-812-0x0000000002250000-0x00000000022D0000-memory.dmp
memory/2688-813-0x0000000070F50000-0x000000007163E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 43b4b8517ec4236a13c2487df9f2cd99 |
| SHA1 | 89b85a04ae615197ed21a8d52626c19e5ec93c67 |
| SHA256 | e63b6f1ab74ca074366c1c9a0981182e7f69f1eb76459983c5a06c02f8b014ca |
| SHA512 | 33023c1c99099271a4b3a7051b74ba57f5ff369a208a954bf0685254918a89b3f9d8c704aff4ea19bba5b73277607d9a2cb2acaae6bc2d3b3f073421c6734bdc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
memory/2772-868-0x000000001B270000-0x000000001B552000-memory.dmp
memory/2772-869-0x0000000002320000-0x0000000002328000-memory.dmp
memory/1976-897-0x0000000070F50000-0x000000007163E000-memory.dmp
memory/2772-906-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1ff62045a2271a67248349b53172556 |
| SHA1 | ff58f3b5bed20de06461756229a35876b4e97fed |
| SHA256 | 1ae215bd8ec48e6b46aafb7abf86632f0911b928c4964387bb40ff6d046e14f0 |
| SHA512 | 1a0330aeff7c67a9b31e9a18bb6296d9dfb1497d0f27d0830d072da6812b25017e743a2c68ba358277fa6e2410486663134aac77e65fb5f42911c87a73cac1bc |
memory/2772-929-0x0000000002254000-0x0000000002257000-memory.dmp
memory/2772-931-0x000000000225B000-0x00000000022C2000-memory.dmp
memory/2772-932-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6108fe8f8cb0a007241efeb7a6fcf2ed |
| SHA1 | f366a29ab50b59a3edc72da59edd0e7d8e763ffd |
| SHA256 | 12b06332903bddc1a504463d9ffbe3bf56a7cc2f0c6574c03d8df01b9a61ddc6 |
| SHA512 | e8403160f214a380996b49625407bf893386022cf5f5e412e070d75c83dd4e83c5f7bbeef3044f0eefd86b53577610374f2e4e36283c4510fb975a67be1267f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d69b43be310a7e6beed4c4431565ae9f |
| SHA1 | 2587e01f500179a6d5221745ad4ea2918a47145f |
| SHA256 | b99b596b9b550d7f9eb7e66d9b610511c400a0a38d05ea1fa759ed64e345b097 |
| SHA512 | bc2a279513eab86e4b00fd2da6b798c64109d69dd3710fb1494ee386311a49220de419cd2817d02f0b1c430100f024a195bee242a9020e9f72ca38904c6be81b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DIAQW8FOMM714SORWEG.temp
| MD5 | 2b8db6c06a27ad21fa3a4767539743ab |
| SHA1 | d178e8148e1ec0371818588738574a1d7228572f |
| SHA256 | e1499f7964aae162b20ec4cdd37b22f8457be16707568831ec0270c9f44d41c8 |
| SHA512 | a5f31459b44777fe58cd87e8b9698c7e0eae2e0464da5625ea98cd4e9995232d4c84ab3ef79b5fb4f348ff08cae7cfe041ce51d3234d0652463d6654a49c3663 |
memory/2032-1043-0x000000001B2F0000-0x000000001B5D2000-memory.dmp
memory/2032-1044-0x0000000001F50000-0x0000000001F58000-memory.dmp
memory/2032-1046-0x00000000027A0000-0x0000000002820000-memory.dmp
memory/2032-1045-0x000007FEF4A50000-0x000007FEF53ED000-memory.dmp
memory/2032-1056-0x000007FEF4A50000-0x000007FEF53ED000-memory.dmp
memory/2032-1066-0x00000000027A0000-0x0000000002820000-memory.dmp
memory/2032-1069-0x00000000027A0000-0x0000000002820000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80e0baa7c1ef96100e8728dd9621989a |
| SHA1 | cdab0ccd11883877c178f5c726e0b7a62c92c6a7 |
| SHA256 | 753b678446cb0ded79d6da616096237f6d4f9bda78d53b4db60ee6f382b7a761 |
| SHA512 | 8c12c933da33eb9d126992f6116e2cea1c0e62c3a8464c1802fda962e8a6128e8be0b8b3c89d82ef9468f90bd492bb59ed836c20c5c2089faca65895c37cdb0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86eb821dd5010e63f4b7b64b3871c358 |
| SHA1 | dce212fdf0c89513c431928fc0ca42af58b297f5 |
| SHA256 | d8c0095b7703b16bd5f42c23aa6e58f30cad6caad57e27e2067af469a3e744b4 |
| SHA512 | 58171b31d7a6d67caa1991d2ff4a5ad95615fc3ae20dae150203e0d763f4e609fc75d87d3592d41a116f3ad16a0abff2ffc41a9baf69f0897c7897f1146757b1 |
memory/2920-1134-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2920-1141-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2724-1145-0x0000000000400000-0x000000000266D000-memory.dmp
memory/2032-1146-0x00000000027A0000-0x0000000002820000-memory.dmp
memory/2032-1148-0x000007FEF4A50000-0x000007FEF53ED000-memory.dmp
memory/2032-1149-0x00000000027A0000-0x0000000002820000-memory.dmp
memory/2032-1150-0x000007FEF4A50000-0x000007FEF53ED000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8BT23REO\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:29
Reported
2023-10-10 20:42
Platform
win10v2004-20230915-en
Max time kernel
114s
Max time network
155s
Command Line
Signatures
Amadey
DcRat
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4780 created 536 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4780 created 536 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4780 created 536 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4780 created 536 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4780 created 536 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F9D1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\345B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EFDB.bat | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ED88.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F627.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8216858.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8216858.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1724 -ip 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1628 -ip 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3744547.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3744547.exe
C:\Users\Admin\AppData\Local\Temp\ED88.exe
C:\Users\Admin\AppData\Local\Temp\ED88.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
C:\Users\Admin\AppData\Local\Temp\EF00.exe
C:\Users\Admin\AppData\Local\Temp\EF00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
C:\Users\Admin\AppData\Local\Temp\EFDB.bat
"C:\Users\Admin\AppData\Local\Temp\EFDB.bat"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
C:\Users\Admin\AppData\Local\Temp\F1E0.exe
C:\Users\Admin\AppData\Local\Temp\F1E0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4760 -ip 4760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 428
C:\Users\Admin\AppData\Local\Temp\F627.exe
C:\Users\Admin\AppData\Local\Temp\F627.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3564 -ip 3564
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1704 -ip 1704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2560 -ip 2560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 192
C:\Users\Admin\AppData\Local\Temp\F9D1.exe
C:\Users\Admin\AppData\Local\Temp\F9D1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F1FC.tmp\F24B.tmp\F24C.bat C:\Users\Admin\AppData\Local\Temp\EFDB.bat"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4204 -s 592
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff783346f8,0x7fff78334708,0x7fff78334718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff783346f8,0x7fff78334708,0x7fff78334718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2392 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\345B.exe
C:\Users\Admin\AppData\Local\Temp\345B.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3416416643417193577,1722644032392507923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3416416643417193577,1722644032392507923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\629F.exe
C:\Users\Admin\AppData\Local\Temp\629F.exe
C:\Users\Admin\AppData\Local\Temp\6698.exe
C:\Users\Admin\AppData\Local\Temp\6698.exe
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Users\Admin\AppData\Local\Temp\6A81.exe
C:\Users\Admin\AppData\Local\Temp\6A81.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=629F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fff783346f8,0x7fff78334708,0x7fff78334718
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=629F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7fff783346f8,0x7fff78334708,0x7fff78334718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12999956886934384098,14028100951986794209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.30.240.157.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | facebook.com | udp |
| CZ | 157.240.30.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 35.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| CZ | 157.240.30.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| IE | 99.80.170.99:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| US | 8.8.8.8:53 | 99.170.80.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tak.soydet.top | udp |
| FI | 95.217.246.182:8443 | tak.soydet.top | tcp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | 182.246.217.95.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 104.208.16.90:443 | browser.events.data.microsoft.com | tcp |
| US | 104.208.16.90:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 162.61.21.104.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
| MD5 | 9c5f6b6f7d55921ce52c8145e9d0a3b6 |
| SHA1 | ec1bb8da4c4b833616dcd9175247ab2c4290bb31 |
| SHA256 | a477c7e234f8d3318fc741bd31e738d1c90ef335b88aeed9dd18b8769ff69659 |
| SHA512 | 37161767ede7f531e4d7be978e2af48a68267f13d2acde819e63df9a34e02bba18b5e02069912758d1b5b932cb29dd8c617efc4ede74ee00f495b475a3c29d6b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4952770.exe
| MD5 | 9c5f6b6f7d55921ce52c8145e9d0a3b6 |
| SHA1 | ec1bb8da4c4b833616dcd9175247ab2c4290bb31 |
| SHA256 | a477c7e234f8d3318fc741bd31e738d1c90ef335b88aeed9dd18b8769ff69659 |
| SHA512 | 37161767ede7f531e4d7be978e2af48a68267f13d2acde819e63df9a34e02bba18b5e02069912758d1b5b932cb29dd8c617efc4ede74ee00f495b475a3c29d6b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1326238.exe
| MD5 | db287dc09c43495a2bde4f74ed080b49 |
| SHA1 | 0a13fba4d387566a270027aa4510834d2089804d |
| SHA256 | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c |
| SHA512 | e0b4e8ec08b6032381fd97ecbb7f214c66e25bb507d326741659e734d55f3f7960545782b957a9d405a0ec257826beb004f4572d797d72508af40770517f95bd |
memory/4208-14-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4208-15-0x0000000000400000-0x0000000000409000-memory.dmp
memory/536-16-0x0000000002CB0000-0x0000000002CC6000-memory.dmp
memory/4208-18-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8216858.exe
| MD5 | 3b08f4571e930aa67dacbaace0edae29 |
| SHA1 | b89f86a739b26542f2ccf794a93e29a565131b40 |
| SHA256 | d0f163dfe61ad4f478cf43d5efc6c086c23618f60bd581a5214a61133aba53e3 |
| SHA512 | 5988b5420d62724d7abeec2f0024dc6f9287c1302180ac89a97370efa81829ce59b5779ce2bfb1a34b8b481ee262ae58b7a4749c5f9a84d97d9147c1974510fb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8216858.exe
| MD5 | 3b08f4571e930aa67dacbaace0edae29 |
| SHA1 | b89f86a739b26542f2ccf794a93e29a565131b40 |
| SHA256 | d0f163dfe61ad4f478cf43d5efc6c086c23618f60bd581a5214a61133aba53e3 |
| SHA512 | 5988b5420d62724d7abeec2f0024dc6f9287c1302180ac89a97370efa81829ce59b5779ce2bfb1a34b8b481ee262ae58b7a4749c5f9a84d97d9147c1974510fb |
memory/1628-23-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1628-24-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1628-25-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1628-27-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3744547.exe
| MD5 | 76bd95317b6cd2dd823639e4cd227d58 |
| SHA1 | 1d5983e1c1da64dc373656fb1f48b99f293c829e |
| SHA256 | cc78675026048df50bfa940e10756802f7805baa061e6cfc55ce3ca3ab20a11b |
| SHA512 | da759b4886c9edeb86ae4983306befcce940a6604ebda5c80538fe4f11be59034d97c2f08aa432f54008c709415c0d5cc9b865cb09a2cf216e5c761c6973ebda |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3744547.exe
| MD5 | 76bd95317b6cd2dd823639e4cd227d58 |
| SHA1 | 1d5983e1c1da64dc373656fb1f48b99f293c829e |
| SHA256 | cc78675026048df50bfa940e10756802f7805baa061e6cfc55ce3ca3ab20a11b |
| SHA512 | da759b4886c9edeb86ae4983306befcce940a6604ebda5c80538fe4f11be59034d97c2f08aa432f54008c709415c0d5cc9b865cb09a2cf216e5c761c6973ebda |
C:\Users\Admin\AppData\Local\Temp\ED88.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
C:\Users\Admin\AppData\Local\Temp\ED88.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
C:\Users\Admin\AppData\Local\Temp\EF00.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
C:\Users\Admin\AppData\Local\Temp\EF00.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
C:\Users\Admin\AppData\Local\Temp\EFDB.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\EFDB.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\EFDB.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
C:\Users\Admin\AppData\Local\Temp\F1E0.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\F1E0.exe
| MD5 | 5977195ba9d7828a029853e02fb8642b |
| SHA1 | 535786cf6258737184d37feaa376d60a2ca2d756 |
| SHA256 | 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd |
| SHA512 | 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45 |
memory/1668-88-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1668-89-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1668-87-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1668-90-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F627.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/1704-100-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1000-101-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1704-97-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1088-98-0x0000000000050000-0x000000000005A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F627.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\F9D1.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/1704-94-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F9D1.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/1088-108-0x00007FFF676D0000-0x00007FFF68191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe
| MD5 | 4e6b8bcc3012040b79f3fcdb787d1ff3 |
| SHA1 | a10a290f59cc27597a7eddd7af58c5bfb00899dd |
| SHA256 | 5ab44ccb5944e9e5be7bd94c4348163470b961541a3203c9edfde51ba6eb4ff4 |
| SHA512 | 09f404e3d41c675fc69e50aae82415a4fa908ab01ee4fc5bc15ad1f019a4e528bcd688637fa5108919095d3e9672ccaeea6fafa2857548648b78e5e7fa6f70ed |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe
| MD5 | 4e6b8bcc3012040b79f3fcdb787d1ff3 |
| SHA1 | a10a290f59cc27597a7eddd7af58c5bfb00899dd |
| SHA256 | 5ab44ccb5944e9e5be7bd94c4348163470b961541a3203c9edfde51ba6eb4ff4 |
| SHA512 | 09f404e3d41c675fc69e50aae82415a4fa908ab01ee4fc5bc15ad1f019a4e528bcd688637fa5108919095d3e9672ccaeea6fafa2857548648b78e5e7fa6f70ed |
memory/1000-116-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/4068-117-0x00000000734A0000-0x0000000073C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/1668-121-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4068-122-0x00000000006B0000-0x00000000006EE000-memory.dmp
memory/536-123-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-126-0x0000000007890000-0x00000000078A0000-memory.dmp
memory/536-128-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-127-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-125-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-124-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-130-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-129-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-131-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-132-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-133-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-134-0x0000000007880000-0x0000000007890000-memory.dmp
memory/4068-136-0x0000000007960000-0x0000000007F04000-memory.dmp
memory/536-135-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-137-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-138-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-139-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-141-0x0000000007880000-0x0000000007890000-memory.dmp
memory/1088-140-0x00007FFF676D0000-0x00007FFF68191000-memory.dmp
memory/536-145-0x00000000078A0000-0x00000000078B0000-memory.dmp
memory/1000-142-0x00000000075E0000-0x0000000007672000-memory.dmp
memory/536-146-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-147-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-144-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-149-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-150-0x0000000007880000-0x0000000007890000-memory.dmp
memory/536-152-0x0000000007880000-0x0000000007890000-memory.dmp
memory/1000-151-0x00000000734A0000-0x0000000073C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F1FC.tmp\F24B.tmp\F24C.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
memory/1000-156-0x0000000007580000-0x0000000007590000-memory.dmp
memory/4068-154-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/536-158-0x0000000007890000-0x00000000078A0000-memory.dmp
memory/4068-157-0x00000000075C0000-0x00000000075D0000-memory.dmp
memory/1088-159-0x00007FFF676D0000-0x00007FFF68191000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 451fddf78747a5a4ebf64cabb4ac94e7 |
| SHA1 | 6925bd970418494447d800e213bfd85368ac8dc9 |
| SHA256 | 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d |
| SHA512 | edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864 |
memory/4068-162-0x0000000007530000-0x000000000753A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d8f4eadb68a3e3d1bf2fa3006af5510 |
| SHA1 | d5d8239ec8a3bf5dadf52360350251d90d9e0142 |
| SHA256 | 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c |
| SHA512 | 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d8f4eadb68a3e3d1bf2fa3006af5510 |
| SHA1 | d5d8239ec8a3bf5dadf52360350251d90d9e0142 |
| SHA256 | 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c |
| SHA512 | 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d8f4eadb68a3e3d1bf2fa3006af5510 |
| SHA1 | d5d8239ec8a3bf5dadf52360350251d90d9e0142 |
| SHA256 | 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c |
| SHA512 | 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554 |
\??\pipe\LOCAL\crashpad_224_OOHHPIBTHFAQBTUB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/536-187-0x00000000078A0000-0x00000000078B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\345B.exe
| MD5 | 1f353056dfcf60d0c62d87b84f0a5e3f |
| SHA1 | c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0 |
| SHA256 | f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e |
| SHA512 | 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d |
C:\Users\Admin\AppData\Local\Temp\345B.exe
| MD5 | 1f353056dfcf60d0c62d87b84f0a5e3f |
| SHA1 | c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0 |
| SHA256 | f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e |
| SHA512 | 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d |
memory/3916-192-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/3916-193-0x0000000000A00000-0x000000000192A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d8f4eadb68a3e3d1bf2fa3006af5510 |
| SHA1 | d5d8239ec8a3bf5dadf52360350251d90d9e0142 |
| SHA256 | 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c |
| SHA512 | 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 96e466b109975bf970663e8865cf3891 |
| SHA1 | 1c2e1ba953a35735e92ef387c8de80f661c34412 |
| SHA256 | b9b5bdc1c16ae9307964239895036626115cfc936d29eb2714c97226dfc5bea5 |
| SHA512 | 90445b1aa5f53415f6869f680d098317fd95b394ab54486d048e88b9df76c0d1de7abd1ce7c126079ed83bbb339a90919e34c5e360c982293cd4505ae8a68e8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7e872d98-c631-4fe3-836e-df004b41bf2b.tmp
| MD5 | 234201829d1bc40f99eaf9bdc50c7e03 |
| SHA1 | 28d246e1ac3274a65de1d28c26967b71156c8692 |
| SHA256 | f7c48b2b78f3351215329147d709c7718cacf86edce02ff180c8859518ca3ef6 |
| SHA512 | f569911a4693cb7aa934c0e8f64bfb0f815bf91717ba61b2f556dd6fd8c849a17f5d4869ff49c3318720322a3030b5119cc7457235d4ed0d781e08f058b4b813 |
\??\pipe\LOCAL\crashpad_3976_ZZLEAIDRVZDEMTBJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1000-225-0x0000000007580000-0x0000000007590000-memory.dmp
memory/4068-226-0x00000000075C0000-0x00000000075D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 234201829d1bc40f99eaf9bdc50c7e03 |
| SHA1 | 28d246e1ac3274a65de1d28c26967b71156c8692 |
| SHA256 | f7c48b2b78f3351215329147d709c7718cacf86edce02ff180c8859518ca3ef6 |
| SHA512 | f569911a4693cb7aa934c0e8f64bfb0f815bf91717ba61b2f556dd6fd8c849a17f5d4869ff49c3318720322a3030b5119cc7457235d4ed0d781e08f058b4b813 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 87dfd55cf8a064a769028fc28d594a35 |
| SHA1 | 381fcfa791d34c21ea9fed949e64d2643b009411 |
| SHA256 | 1e49c4bc7775134877851b58bf185ad0db7693bd330a5591a0c9363ecf0c0f6d |
| SHA512 | 31c29910341824890c25eb7732eac164fe28cff0f57b99c758a2fa1f54a8022a1e804853b297beeff0aa2c17187549fc7d74b83148520d138d93013a56eee8c1 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\629F.exe
| MD5 | 21b738f4b6e53e6d210996fa6ba6cc69 |
| SHA1 | 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41 |
| SHA256 | 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58 |
| SHA512 | f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81 |
C:\Users\Admin\AppData\Local\Temp\629F.exe
| MD5 | 21b738f4b6e53e6d210996fa6ba6cc69 |
| SHA1 | 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41 |
| SHA256 | 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58 |
| SHA512 | f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81 |
memory/3844-286-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6698.exe
| MD5 | 109da216e61cf349221bd2455d2170d4 |
| SHA1 | ea6983b8581b8bb57e47c8492783256313c19480 |
| SHA256 | a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400 |
| SHA512 | 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26 |
memory/3844-288-0x00000000020E0000-0x000000000213A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
C:\Users\Admin\AppData\Local\Temp\6698.exe
| MD5 | 109da216e61cf349221bd2455d2170d4 |
| SHA1 | ea6983b8581b8bb57e47c8492783256313c19480 |
| SHA256 | a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400 |
| SHA512 | 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26 |
memory/3916-302-0x00000000734A0000-0x0000000073C50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8b81e4a9290dd832bbbc24a90a4fd75e |
| SHA1 | f7ecf2cd31120bf0c2ccd50521d5601db7bbd456 |
| SHA256 | c8696949669aad75f79895e0ec680e5e8cc4e59cf27cb220784e45739bca398a |
| SHA512 | b19edc5c5971b3321a8a0c78279e248bd3763f902b8b5dadd97111301abe1d28e73a5829b7e8a0127cf881297a0c6aa9d8a48d85066fb193a5be21b1c1d1def2 |
C:\Users\Admin\AppData\Local\Temp\6A81.exe
| MD5 | 1199c88022b133b321ed8e9c5f4e6739 |
| SHA1 | 8e5668edc9b4e1f15c936e68b59c84e165c9cb07 |
| SHA256 | e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836 |
| SHA512 | 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697 |
memory/3372-303-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/3372-318-0x0000000000870000-0x0000000000D86000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d985875547ce8936a14b00d1e571365f |
| SHA1 | 040d8e5bd318357941fca03b49f66a1470824cb3 |
| SHA256 | 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf |
| SHA512 | ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38 |
memory/1616-325-0x00000000001D0000-0x00000000001EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6A81.exe
| MD5 | 1199c88022b133b321ed8e9c5f4e6739 |
| SHA1 | 8e5668edc9b4e1f15c936e68b59c84e165c9cb07 |
| SHA256 | e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836 |
| SHA512 | 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697 |
memory/1616-331-0x0000000000400000-0x0000000000431000-memory.dmp
memory/3892-332-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/4996-333-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
memory/1240-335-0x00000000023ED000-0x0000000002400000-memory.dmp
memory/1240-336-0x00000000023B0000-0x00000000023B9000-memory.dmp
memory/1616-337-0x00000000734A0000-0x0000000073C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2068-342-0x0000000004390000-0x0000000004798000-memory.dmp
memory/4996-343-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2068-345-0x00000000047A0000-0x000000000508B000-memory.dmp
memory/3892-347-0x0000000000E40000-0x0000000000E5E000-memory.dmp
memory/3916-351-0x00000000734A0000-0x0000000073C50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/2068-366-0x0000000000400000-0x000000000266D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 715d9d0bdd59c8ac74b95927ed28e2c6 |
| SHA1 | 5f9fe85bf700bf7d7c3338ec9e9665ef60fe0a2e |
| SHA256 | 48a794cadd5045c710825afe3fff412df36eae07d49dbb9d7219e9cd66f6a6e5 |
| SHA512 | 88c71339c788c4858bfdc29d5a1e27ab6353ae3937d01e6f2002b11443bddf2f55c9f21185a9f29097660eb4d4495c8e12a591723033ce913a3a282f3710fa5e |
memory/536-387-0x00000000078A0000-0x00000000078B6000-memory.dmp
memory/4996-388-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2068-392-0x0000000000400000-0x000000000266D000-memory.dmp
memory/3372-393-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/4068-394-0x0000000008730000-0x0000000008D48000-memory.dmp
memory/3844-395-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3892-396-0x0000000005810000-0x0000000005822000-memory.dmp
memory/3372-406-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/1616-407-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/3892-408-0x00000000734A0000-0x0000000073C50000-memory.dmp
memory/3372-409-0x0000000005620000-0x0000000005621000-memory.dmp
memory/3372-410-0x0000000005A70000-0x0000000005B0C000-memory.dmp
memory/1616-411-0x0000000005190000-0x000000000529A000-memory.dmp
memory/3892-412-0x0000000005870000-0x00000000058AC000-memory.dmp
memory/2068-413-0x0000000004390000-0x0000000004798000-memory.dmp
memory/4780-414-0x00007FF726190000-0x00007FF726731000-memory.dmp
memory/2068-415-0x00000000047A0000-0x000000000508B000-memory.dmp
memory/1616-416-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/3892-417-0x00000000058B0000-0x00000000058FC000-memory.dmp
memory/2068-444-0x0000000000400000-0x000000000266D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cdb6c64b5f090645941a54c267733a6c |
| SHA1 | fd1057059fc107cce53103c6e93100bb8cce5042 |
| SHA256 | a1a02b2a04ae2dca02ba3c975cba0adb0bbbdcbd366cb16685b29beac2c5830f |
| SHA512 | 81fdae051530a905ec470ef850c5fdb20fbf26ff63ecf1e531ed807efe6a6ff15d3eb4293005673f379f4f2a3b6ce9d26d8ab55db1ab3f4f1cd964cb483e6aef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59be45.TMP
| MD5 | 5bb79c97e6efaa75d8655f71e5f6b3b8 |
| SHA1 | f40adf7b2a856eac8d8bf6f8a875139678fc3141 |
| SHA256 | a60e717e6bee906160f963f6cae5751b8129aa3be1cae678f216a4560e166f95 |
| SHA512 | e4956659195e3df5dcd1204ab9f21af2577a774bb5eafc0521366556152046a21ebc1a021e6e414b481f29cfc6e99973b1aecfa20253f2f6a4816421fd5bdb96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6018d8217c351224a5b2529cca71e2f2 |
| SHA1 | c2c5fad33796c06518e06551c81718581d0912b5 |
| SHA256 | 676c342085aa62f2e11944579c201861806be29c3b23ae7d6d38dc50ea682b2a |
| SHA512 | dba44cbf2d64506e4f2b3d5fe5ab8dc8528f04544ffda150fe7eb0dc67f7e3093cc02f04a0781319f6db72fdc0e36b2fbcdf90685b72a2b66a583880bc9a2c52 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 48434aec817e0fcb046aca0f1a6d858e |
| SHA1 | 6614a783cd3c67cdea3ee11a2ebca7dc286f2759 |
| SHA256 | c5f86d1fb586d36ad2b1bf38f42049ae2f7335f362d17d8024845f6da1c7fb91 |
| SHA512 | 319f2b577a981af88b607b4bc60b74cd4addc5db5ed58b7a9637e74cb8b7a1864733c1cbe3facb2db9f944574b9f2640d6a7b2c160e981068ba66c1c705d2d4a |
memory/3372-531-0x0000000005870000-0x0000000005885000-memory.dmp
memory/3372-533-0x0000000005870000-0x0000000005885000-memory.dmp
memory/3372-535-0x0000000005870000-0x0000000005885000-memory.dmp
memory/3372-537-0x0000000005870000-0x0000000005885000-memory.dmp
memory/3372-542-0x0000000005870000-0x0000000005885000-memory.dmp
memory/3372-545-0x0000000005870000-0x0000000005885000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ii4b5m1f.c2s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 76c0454349b7f6e5c88ccbc332e5453f |
| SHA1 | e2ca9f4e1aad66400f8a46acf07f9f6b8c1c4ca4 |
| SHA256 | ffed8276691d76b20cd270142dbdb5adb25abb60e0f9c7edae46559d623e1cbf |
| SHA512 | f5bef2b52da4640ab9f4ec858dd4de087de5bcf4dc01c3897ddea38567f808572c9fa3e6cff507db1a0fd3b147c4207196053207447f6047d37abe3f6e49c8d0 |
C:\Users\Admin\AppData\Local\Temp\tmp19BB.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp1A1F.tmp
| MD5 | 5b39e7698deffeb690fbd206e7640238 |
| SHA1 | 327f6e6b5d84a0285eefe9914a067e9b51251863 |
| SHA256 | 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8 |
| SHA512 | f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7 |
C:\Users\Admin\AppData\Local\Temp\tmp1A79.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp1ABE.tmp
| MD5 | 0a01f1b75a011e056db6ecd07e092851 |
| SHA1 | c19036388281d9d678dd203213fbffb531b9a5bb |
| SHA256 | 8a0596e24ef3aa6e9314868bc917a7c20ed8749f29b136f0165d5d2dba29176d |
| SHA512 | d1809ca9ec4e2b01b74a50d51d664d4e109ae4da53a9e77cc885fdccb361544f4c3fd47d79c1c5516ef6625f4e653428370140192b206f8d2175df9e4579377f |
C:\Users\Admin\AppData\Local\Temp\tmp1AEF.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp1B58.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |