Analysis Overview
SHA256
1055e85f63c4918500650bf56924ee225d9d62db0c778ea8f606f844e6d13bf9
Threat Level: Known bad
The file fd2fde4b51e79039d00b43f7cd00b31f.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Amadey
Detects Healer an antivirus disabler dropper
Glupteba
DcRat
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
Healer
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine payload
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Drops file in Drivers directory
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Windows security modification
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:09
Reported
2023-10-10 20:13
Platform
win7-20230831-en
Max time kernel
161s
Max time network
139s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1924 set thread context of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe
"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 268
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
| MD5 | e3f20ad259a862d3cda234b5b25db716 |
| SHA1 | da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b |
| SHA256 | 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af |
| SHA512 | d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
| MD5 | e3f20ad259a862d3cda234b5b25db716 |
| SHA1 | da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b |
| SHA256 | 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af |
| SHA512 | d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
| MD5 | e3f20ad259a862d3cda234b5b25db716 |
| SHA1 | da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b |
| SHA256 | 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af |
| SHA512 | d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
| MD5 | e3f20ad259a862d3cda234b5b25db716 |
| SHA1 | da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b |
| SHA256 | 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af |
| SHA512 | d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
| MD5 | cc353418f49a51a7bef2afef59ce5071 |
| SHA1 | 8a48f140bcac612e7701d1fb4f32f24b040fb986 |
| SHA256 | e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd |
| SHA512 | d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
| MD5 | cc353418f49a51a7bef2afef59ce5071 |
| SHA1 | 8a48f140bcac612e7701d1fb4f32f24b040fb986 |
| SHA256 | e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd |
| SHA512 | d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
| MD5 | cc353418f49a51a7bef2afef59ce5071 |
| SHA1 | 8a48f140bcac612e7701d1fb4f32f24b040fb986 |
| SHA256 | e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd |
| SHA512 | d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
| MD5 | cc353418f49a51a7bef2afef59ce5071 |
| SHA1 | 8a48f140bcac612e7701d1fb4f32f24b040fb986 |
| SHA256 | e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd |
| SHA512 | d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
| MD5 | fbfba8262cb0687c1616c345893fd7e1 |
| SHA1 | 18ec2d75f3eaacd497f05d21be556c0ecf760e4c |
| SHA256 | 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08 |
| SHA512 | f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
| MD5 | fbfba8262cb0687c1616c345893fd7e1 |
| SHA1 | 18ec2d75f3eaacd497f05d21be556c0ecf760e4c |
| SHA256 | 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08 |
| SHA512 | f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
| MD5 | fbfba8262cb0687c1616c345893fd7e1 |
| SHA1 | 18ec2d75f3eaacd497f05d21be556c0ecf760e4c |
| SHA256 | 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08 |
| SHA512 | f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
| MD5 | fbfba8262cb0687c1616c345893fd7e1 |
| SHA1 | 18ec2d75f3eaacd497f05d21be556c0ecf760e4c |
| SHA256 | 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08 |
| SHA512 | f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/2560-40-0x00000000003E0000-0x00000000003FE000-memory.dmp
memory/2560-41-0x0000000000880000-0x000000000089C000-memory.dmp
memory/2560-42-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-43-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-45-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-47-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-49-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-51-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-53-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-55-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-57-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-59-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-63-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-69-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-67-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-65-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2560-61-0x0000000000880000-0x0000000000896000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
memory/2712-76-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-77-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-78-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-79-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-80-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-81-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2712-83-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-85-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2712-87-0x0000000000400000-0x0000000000433000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:09
Reported
2023-10-10 20:12
Platform
win10v2004-20230915-en
Max time kernel
102s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 6008 created 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6008 created 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6008 created 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6008 created 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6008 created 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E87.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\564F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8D7.bat | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86F5.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\47F.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CF0.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\source1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe
"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1796 -ip 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2308 -ip 2308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 584
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\ABB2.tmp\ABB3.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6203320225202508898,1414958446510668348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6203320225202508898,1414958446510668348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\47F.exe
C:\Users\Admin\AppData\Local\Temp\47F.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe
C:\Users\Admin\AppData\Local\Temp\674.exe
C:\Users\Admin\AppData\Local\Temp\674.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\8D7.bat
"C:\Users\Admin\AppData\Local\Temp\8D7.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5904 -ip 5904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 396
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9AF.tmp\9B0.tmp\9B1.bat C:\Users\Admin\AppData\Local\Temp\8D7.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 228 -ip 228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 540
C:\Users\Admin\AppData\Local\Temp\C04.exe
C:\Users\Admin\AppData\Local\Temp\C04.exe
C:\Users\Admin\AppData\Local\Temp\CF0.exe
C:\Users\Admin\AppData\Local\Temp\CF0.exe
C:\Users\Admin\AppData\Local\Temp\E87.exe
C:\Users\Admin\AppData\Local\Temp\E87.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5616 -ip 5616
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 404
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe3a4c46f8,0x7ffe3a4c4708,0x7ffe3a4c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18095490293769840252,14731990622452921550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\564F.exe
C:\Users\Admin\AppData\Local\Temp\564F.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\86F5.exe
C:\Users\Admin\AppData\Local\Temp\86F5.exe
C:\Users\Admin\AppData\Local\Temp\89E4.exe
C:\Users\Admin\AppData\Local\Temp\89E4.exe
C:\Users\Admin\AppData\Local\Temp\8F25.exe
C:\Users\Admin\AppData\Local\Temp\8F25.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4820 -ip 4820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 792
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| CZ | 157.240.30.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| CZ | 157.240.30.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | 35.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.61.21.104.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | tak.soydet.top | udp |
| FI | 95.217.246.182:8443 | tak.soydet.top | tcp |
| US | 8.8.8.8:53 | 182.246.217.95.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | b3720454-be15-4f21-be08-3779b4095004.uuid.cdntokiog.studio | udp |
| US | 8.8.8.8:53 | bytecloudasa.website | udp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 104.21.61.162:80 | bytecloudasa.website | tcp |
| US | 8.8.8.8:53 | server12.cdntokiog.studio | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| BG | 185.82.216.49:443 | server12.cdntokiog.studio | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 49.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 51.68.143.81:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 212.47.253.124:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 81.143.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
| MD5 | e3f20ad259a862d3cda234b5b25db716 |
| SHA1 | da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b |
| SHA256 | 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af |
| SHA512 | d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
| MD5 | e3f20ad259a862d3cda234b5b25db716 |
| SHA1 | da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b |
| SHA256 | 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af |
| SHA512 | d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
| MD5 | cc353418f49a51a7bef2afef59ce5071 |
| SHA1 | 8a48f140bcac612e7701d1fb4f32f24b040fb986 |
| SHA256 | e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd |
| SHA512 | d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
| MD5 | cc353418f49a51a7bef2afef59ce5071 |
| SHA1 | 8a48f140bcac612e7701d1fb4f32f24b040fb986 |
| SHA256 | e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd |
| SHA512 | d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
| MD5 | fbfba8262cb0687c1616c345893fd7e1 |
| SHA1 | 18ec2d75f3eaacd497f05d21be556c0ecf760e4c |
| SHA256 | 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08 |
| SHA512 | f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
| MD5 | fbfba8262cb0687c1616c345893fd7e1 |
| SHA1 | 18ec2d75f3eaacd497f05d21be556c0ecf760e4c |
| SHA256 | 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08 |
| SHA512 | f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/4684-28-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/4684-29-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4684-30-0x0000000002180000-0x000000000219E000-memory.dmp
memory/4684-31-0x0000000004A00000-0x0000000004FA4000-memory.dmp
memory/4684-32-0x0000000002370000-0x000000000238C000-memory.dmp
memory/4684-33-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-34-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-36-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-38-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-40-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-42-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-46-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-44-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-48-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-50-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-52-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-54-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-56-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-58-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-60-0x0000000002370000-0x0000000002386000-memory.dmp
memory/4684-61-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/4684-62-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4684-63-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4684-65-0x0000000074B50000-0x0000000075300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
| MD5 | 9f7da01ebd8a0ab0d1711de39405883d |
| SHA1 | e92b5303fcae4341f66b365e9df00a191e82c59b |
| SHA256 | 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5 |
| SHA512 | 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200 |
memory/2308-69-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2308-70-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2308-71-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2308-73-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
| MD5 | b5480b46f95352f9f130d44d3b4edabd |
| SHA1 | 71dada7841a99782f529de686d81befbf9ee2542 |
| SHA256 | 3639bbe23698326dcc7daeec6cd16215f1a996782f4ea0eb3359a2b2e80eca8d |
| SHA512 | 09854e9b8bf6be48fc7e1effcc472c9aa60bb9763ceeda5d12eff65b4d23cd30dfbf5da632539c241988d3eb3333afed34bef1868cd28f89b5654fc8d8c2dcdb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
| MD5 | b5480b46f95352f9f130d44d3b4edabd |
| SHA1 | 71dada7841a99782f529de686d81befbf9ee2542 |
| SHA256 | 3639bbe23698326dcc7daeec6cd16215f1a996782f4ea0eb3359a2b2e80eca8d |
| SHA512 | 09854e9b8bf6be48fc7e1effcc472c9aa60bb9763ceeda5d12eff65b4d23cd30dfbf5da632539c241988d3eb3333afed34bef1868cd28f89b5654fc8d8c2dcdb |
memory/4152-77-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4152-78-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
| MD5 | 52d8b3c8ead2029782a9b47b0693ffda |
| SHA1 | a23dd39dc4104549bf5b9a5a30a680dd862db336 |
| SHA256 | 05c582979f6d8f491ed9999a0db07694a659c4c803c3c33623267951dacfe83e |
| SHA512 | 04e259dc7f12f40921181091bc2c8ebe9c07fa16b7f364a7c478acbe3e71386c91d8ec8b07f52693996b370aa92570e3ce7e76bcc7640813aa13b2f46d679128 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
| MD5 | 52d8b3c8ead2029782a9b47b0693ffda |
| SHA1 | a23dd39dc4104549bf5b9a5a30a680dd862db336 |
| SHA256 | 05c582979f6d8f491ed9999a0db07694a659c4c803c3c33623267951dacfe83e |
| SHA512 | 04e259dc7f12f40921181091bc2c8ebe9c07fa16b7f364a7c478acbe3e71386c91d8ec8b07f52693996b370aa92570e3ce7e76bcc7640813aa13b2f46d679128 |
memory/3736-82-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3736-83-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3736-84-0x00000000079E0000-0x0000000007A72000-memory.dmp
memory/3736-85-0x0000000007B80000-0x0000000007B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
| MD5 | a5814987c9f2408582d895aedd6f3739 |
| SHA1 | c1ed94ac3139b6e9e2b5a905d44466127dd9e378 |
| SHA256 | 651b8fceaffac36afbba4311f95b7594bc8d9f6058a622fc74dea8302a10060b |
| SHA512 | a6f7bd58301e8ce5dcfb1ba800acc4a2e167d81450aa1e03ed3334f0a8922dfd68c43aaf57a140275b4cd3dafe58f2bfc619dcd6d8ec5626c21503d55089a79f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
| MD5 | a5814987c9f2408582d895aedd6f3739 |
| SHA1 | c1ed94ac3139b6e9e2b5a905d44466127dd9e378 |
| SHA256 | 651b8fceaffac36afbba4311f95b7594bc8d9f6058a622fc74dea8302a10060b |
| SHA512 | a6f7bd58301e8ce5dcfb1ba800acc4a2e167d81450aa1e03ed3334f0a8922dfd68c43aaf57a140275b4cd3dafe58f2bfc619dcd6d8ec5626c21503d55089a79f |
memory/3736-89-0x00000000079B0000-0x00000000079BA000-memory.dmp
memory/3736-91-0x0000000008AC0000-0x00000000090D8000-memory.dmp
memory/3736-92-0x0000000007D20000-0x0000000007E2A000-memory.dmp
memory/3736-93-0x0000000007C20000-0x0000000007C32000-memory.dmp
memory/3736-94-0x0000000007C80000-0x0000000007CBC000-memory.dmp
memory/3736-95-0x0000000007CC0000-0x0000000007D0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\ABB2.tmp\ABB3.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 45fe8440c5d976b902cfc89fb780a578 |
| SHA1 | 5696962f2d0e89d4c561acd58483b0a4ffeab800 |
| SHA256 | f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96 |
| SHA512 | efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
\??\pipe\LOCAL\crashpad_1116_FVTIVZVLWACDTHZS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_2140_WDTBDRQIGCQAHKVY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 03cf06b61e9260d09e7009497b51f4e5 |
| SHA1 | 838f4126a67a5188d3243559785c212fd27cd4f2 |
| SHA256 | d2bdfe290540366ce73609064d9799a71071756b33983241a57e353f3f577672 |
| SHA512 | e4f9b5dd7b91caee6269d96ca169ffd256d5790c4c43a716f5097c72a859f42841827efeffbd129bdc0bfaf827102e6a72c80d3354c4e194de49c2fc714b27ec |
memory/3172-135-0x0000000000730000-0x0000000000746000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a0e5b0f5d446d27383747b24ef0beb65 |
| SHA1 | 93b3f867a1372402fd5be967d84cefbfed02a5c4 |
| SHA256 | 38eb074e38f0ca6712d4c147b22b391f4c2c4e32a40d032590cca99cd0369e3f |
| SHA512 | 9ab9d51f2ec225c74b20181274132dc7bf365b436eae7a5c9ce792e89898bbe362404f61b4855b4ebb147d2cdbc93d1d789434af935687181b6e9e249a07e951 |
memory/4152-137-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3736-257-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3736-258-0x0000000007B80000-0x0000000007B90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 03cf06b61e9260d09e7009497b51f4e5 |
| SHA1 | 838f4126a67a5188d3243559785c212fd27cd4f2 |
| SHA256 | d2bdfe290540366ce73609064d9799a71071756b33983241a57e353f3f577672 |
| SHA512 | e4f9b5dd7b91caee6269d96ca169ffd256d5790c4c43a716f5097c72a859f42841827efeffbd129bdc0bfaf827102e6a72c80d3354c4e194de49c2fc714b27ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ef720611fab16ff18817685436da3040 |
| SHA1 | e9d6d316efa6184638514a97b9b30b69bc909a1e |
| SHA256 | c8cc8962a6e1b21bb72f026d17af72bab2dc72ae80652b5bd70604f8f8ad5a70 |
| SHA512 | 7884af7fba6364f2e68fa0bcff84c1ebb780fa88d1d4c433c2b5efd2ac9fe82094ccde68df3a497abfd6dc7493ac4abd4d8ef7ecd3396e1c0ebb97f9146ee14a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | df785a96f1d93b7d7254959e289871ef |
| SHA1 | 15753b7b30fe1610dd4a5ee6255397db03e3f2a2 |
| SHA256 | d15982bd402597caa94d572570225c4e3ed45b034e827fd476c9c1244dd406fa |
| SHA512 | b14deea98cb888c6d3b6b99380aae88e3417d1ca1041aee47ff76af9446d45d984dff16241dd516cffc2ea5bd3839fe6da270067c6aca8f8b0dd862fce998478 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 25ac77f8c7c7b76b93c8346e41b89a95 |
| SHA1 | 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a |
| SHA256 | 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b |
| SHA512 | df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\47F.exe
| MD5 | 01e8938713965bcf7a894d345dccd961 |
| SHA1 | 1c9e5066c5dbe55fbf1b3795b67e85e6d70fbcc3 |
| SHA256 | da848354446f1cc6fc46269810de327f73e302a3b49bdcf1768f91f55d179773 |
| SHA512 | 82b5743fc336462220b0a72ed97f3f74ddd131ce5b0cdc5265d73acc5f855b028fc468d0910cca33a27c0959c81ff48fe3cf2462b01dd0672299e0b29071894e |
C:\Users\Admin\AppData\Local\Temp\47F.exe
| MD5 | 01e8938713965bcf7a894d345dccd961 |
| SHA1 | 1c9e5066c5dbe55fbf1b3795b67e85e6d70fbcc3 |
| SHA256 | da848354446f1cc6fc46269810de327f73e302a3b49bdcf1768f91f55d179773 |
| SHA512 | 82b5743fc336462220b0a72ed97f3f74ddd131ce5b0cdc5265d73acc5f855b028fc468d0910cca33a27c0959c81ff48fe3cf2462b01dd0672299e0b29071894e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6KE26pO.exe
| MD5 | 967f94532135f2be66f52826d4bdc0d9 |
| SHA1 | c3eac79dc3e4de391edb079fe12a7976ab646be7 |
| SHA256 | 80a44872835f4b305e8d3c1a42267edfc10e3cdf8ecb5abfe3ada464eb72bce4 |
| SHA512 | 41d0423f110e7e9580abf5580458ab2884b9b88061ef53426c8e8e9b9cfbb0e056b7cf2bbab6dcedc0fdf20a4105176855d0d2577f34ef537c3c238aaa113777 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe
| MD5 | f588c7b47585fe07fcbee10adf071051 |
| SHA1 | 010a7a0d286dbd95f8969161f7f8d7dae7141b06 |
| SHA256 | 370526ccbfe24bb127e0c35990f6657a3c0ffcd06bb1ab650916510810aff761 |
| SHA512 | 0135217f0b916cfd58e5f406c23ad805fd0e62475eaff608a79aedbe48a56ca6c9a9becc42e5650b877ee264a3906565e6c5dfc8f675a2bc198c49a2e579943a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW6Zt8oj.exe
| MD5 | f588c7b47585fe07fcbee10adf071051 |
| SHA1 | 010a7a0d286dbd95f8969161f7f8d7dae7141b06 |
| SHA256 | 370526ccbfe24bb127e0c35990f6657a3c0ffcd06bb1ab650916510810aff761 |
| SHA512 | 0135217f0b916cfd58e5f406c23ad805fd0e62475eaff608a79aedbe48a56ca6c9a9becc42e5650b877ee264a3906565e6c5dfc8f675a2bc198c49a2e579943a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe
| MD5 | 9825ae532965aaf1c8b6eeb23307a0b5 |
| SHA1 | 45dc12d3e2ae9ff5eea54188faf7f647c5c10560 |
| SHA256 | 920ba68f618312ec413bef3cb0832e66e60537000f9d2f2d15488d48a3b8ca21 |
| SHA512 | 56c779df4443822b42dec60de5e5a4fe5281ee82c457b527143d2f400ed9f4e6ec00d016ca4f8b51739d77bdbf6487e195efe85b2646ccd394420ad4d5e48172 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iO8uY9pP.exe
| MD5 | 9825ae532965aaf1c8b6eeb23307a0b5 |
| SHA1 | 45dc12d3e2ae9ff5eea54188faf7f647c5c10560 |
| SHA256 | 920ba68f618312ec413bef3cb0832e66e60537000f9d2f2d15488d48a3b8ca21 |
| SHA512 | 56c779df4443822b42dec60de5e5a4fe5281ee82c457b527143d2f400ed9f4e6ec00d016ca4f8b51739d77bdbf6487e195efe85b2646ccd394420ad4d5e48172 |
C:\Users\Admin\AppData\Local\Temp\674.exe
| MD5 | 87ec79f7a935ac18452e8bf14cee3eaa |
| SHA1 | 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22 |
| SHA256 | 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532 |
| SHA512 | a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe
| MD5 | 31c009b6fb0016ed9858273b31830855 |
| SHA1 | aa4432181da3349006a6ad35852705e9fc53e038 |
| SHA256 | 593b5be11b432dd398461b85ba2ad02c6a49d3e7dee9ddf9becc0f54827d95a0 |
| SHA512 | 22513cfb2c6d7c40223713e7e33f18058fc619518d845515409a978e6a4e02a7ae9a0dfa5f3c9fd56579e99b6eeb14845e4af897f9cb5297e3fc71f206e76458 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YL1xJ1lt.exe
| MD5 | 31c009b6fb0016ed9858273b31830855 |
| SHA1 | aa4432181da3349006a6ad35852705e9fc53e038 |
| SHA256 | 593b5be11b432dd398461b85ba2ad02c6a49d3e7dee9ddf9becc0f54827d95a0 |
| SHA512 | 22513cfb2c6d7c40223713e7e33f18058fc619518d845515409a978e6a4e02a7ae9a0dfa5f3c9fd56579e99b6eeb14845e4af897f9cb5297e3fc71f206e76458 |
C:\Users\Admin\AppData\Local\Temp\674.exe
| MD5 | 87ec79f7a935ac18452e8bf14cee3eaa |
| SHA1 | 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22 |
| SHA256 | 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532 |
| SHA512 | a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe
| MD5 | 752628ad18046dcf1135bfb110b4e310 |
| SHA1 | cc207f5cdb66bedb7b4d4626c31f42b54b10934b |
| SHA256 | 0a30b0514f06dd0fee5ae520c17f5063d1b517ce601a62fddc239714852d0b7b |
| SHA512 | 323e44d590d3345f2e01f8b549056f3f1230770af7afdbe66b049dec6918b908cb929cbdce84c7ed47f3e0fc5b3c1db02971d08b93e78bbfc43e9ba29554c59c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MR9kh3on.exe
| MD5 | 752628ad18046dcf1135bfb110b4e310 |
| SHA1 | cc207f5cdb66bedb7b4d4626c31f42b54b10934b |
| SHA256 | 0a30b0514f06dd0fee5ae520c17f5063d1b517ce601a62fddc239714852d0b7b |
| SHA512 | 323e44d590d3345f2e01f8b549056f3f1230770af7afdbe66b049dec6918b908cb929cbdce84c7ed47f3e0fc5b3c1db02971d08b93e78bbfc43e9ba29554c59c |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe
| MD5 | fae7262abd1ec7a8cc8c733bc11ede7c |
| SHA1 | 64c197c8c8db30b547463abf726679573c7dc1a4 |
| SHA256 | 2f3228dfa4c99b6f28a2cbfddac0dca494eff7cf2eb1e3ce61ecc5ccb1bd431d |
| SHA512 | 72f132d4a25b5068102686178866039f21f31f1ff20b1346f4d2d91c7c5180378e5de9151d960cc2ea99b16fba3a6645538e89480651c4118a54ed025e21e2dc |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hY00JA7.exe
| MD5 | fae7262abd1ec7a8cc8c733bc11ede7c |
| SHA1 | 64c197c8c8db30b547463abf726679573c7dc1a4 |
| SHA256 | 2f3228dfa4c99b6f28a2cbfddac0dca494eff7cf2eb1e3ce61ecc5ccb1bd431d |
| SHA512 | 72f132d4a25b5068102686178866039f21f31f1ff20b1346f4d2d91c7c5180378e5de9151d960cc2ea99b16fba3a6645538e89480651c4118a54ed025e21e2dc |
C:\Users\Admin\AppData\Local\Temp\8D7.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\8D7.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
memory/6116-342-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6116-343-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6116-345-0x0000000000400000-0x0000000000433000-memory.dmp
memory/228-347-0x0000000000400000-0x0000000000433000-memory.dmp
memory/228-348-0x0000000000400000-0x0000000000433000-memory.dmp
memory/228-350-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6116-351-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C04.exe
| MD5 | 02ff7b6ab0166ce70c7a12c5552e00be |
| SHA1 | 9d266ab22b438fc8092e7816557196a0e546e24a |
| SHA256 | 0a905d1a49ca8141cd03947a03ebd34d5dadaadf2c5ea952ac8125c877ff1644 |
| SHA512 | 13eec7921721560c318c6f7b1503501e9e91922f4a730a2f0b2b9d143e56392c3e2f9d8084439b4829fad3f925f9b464f346c9fa4673af4622f452a9e9af3cbe |
C:\Users\Admin\AppData\Local\Temp\C04.exe
| MD5 | 02ff7b6ab0166ce70c7a12c5552e00be |
| SHA1 | 9d266ab22b438fc8092e7816557196a0e546e24a |
| SHA256 | 0a905d1a49ca8141cd03947a03ebd34d5dadaadf2c5ea952ac8125c877ff1644 |
| SHA512 | 13eec7921721560c318c6f7b1503501e9e91922f4a730a2f0b2b9d143e56392c3e2f9d8084439b4829fad3f925f9b464f346c9fa4673af4622f452a9e9af3cbe |
C:\Users\Admin\AppData\Local\Temp\CF0.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\CF0.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/6080-360-0x0000000000A00000-0x0000000000A0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9AF.tmp\9B0.tmp\9B1.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
memory/6080-362-0x00007FFE35340000-0x00007FFE35E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E87.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\E87.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/6036-370-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/6036-378-0x0000000007530000-0x0000000007540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a1e508404f45c4ac0cb7e1ffd1cdcdfc |
| SHA1 | 2354d15e05fa84a2e171887356cc8fc7f0ba51fe |
| SHA256 | 5889147550d3bcf136ea4e4541bd55b3e476bd8bde79674a68f94ebe32c5d3b2 |
| SHA512 | d46a222c77cffefce89275aaa78bdb9f8e4aa118c00d9897d80d2c625253eceb3744e566adab8f4aa3920df90a69a0565ac8230fb85093d67b2fec2595167414 |
memory/5948-389-0x00000000004C0000-0x00000000004FE000-memory.dmp
memory/5948-390-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe
| MD5 | 987883382e8b62c67e13f88307066b15 |
| SHA1 | 754d95ba9258680c1efd3229aa801218f9d4317f |
| SHA256 | efd94432016e5abc95803c8f4197054c2a176aa580ee8ccd2d16e007cdc1c7d0 |
| SHA512 | 734772b634ddf758d807d56cfbac4cb76eb752c8dc8247aa6e8e1bb1cee07e09b3b57505661831a49cbbcb8fd15ac82eeeaba8ae6c8c793e463c97e321e4a1bf |
memory/5948-402-0x0000000007210000-0x0000000007220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ow203LP.exe
| MD5 | 987883382e8b62c67e13f88307066b15 |
| SHA1 | 754d95ba9258680c1efd3229aa801218f9d4317f |
| SHA256 | efd94432016e5abc95803c8f4197054c2a176aa580ee8ccd2d16e007cdc1c7d0 |
| SHA512 | 734772b634ddf758d807d56cfbac4cb76eb752c8dc8247aa6e8e1bb1cee07e09b3b57505661831a49cbbcb8fd15ac82eeeaba8ae6c8c793e463c97e321e4a1bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fde35c3bd20541fc2b097923babbadbd |
| SHA1 | b0e316167faa284db03230fd46759651e2d90f78 |
| SHA256 | b298e01d0d4fb92af32c9e74e159c30cba94ec3b033e80a86dbea20a920fd3cd |
| SHA512 | a58ebb719e1e86d0fdda8bdb7e234bbb48eb1e47dc12395038d74ca31b69be93d78de4105af4f8ef64ae07930bf96b890bd296467d1dfef9474a293c3da1f07d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5824aa.TMP
| MD5 | e81846560b3907dd1f59f6e8ec611b07 |
| SHA1 | 5380d9be767a4af88afcf46deb1ac9f463248f04 |
| SHA256 | 55b092b5031e7f7ed883c3cdc7bfd6f9c23fdc4b6d406ea58ddf2b5d1a9db51f |
| SHA512 | 9c311995f7e90e455e3f57f99a161a2f11fa594de5d300ef09266534c4b94fd8dc0cfdd7cdcc1640ab5133e9364048bb1bfc683bee226c200ca1bec0b75c69c3 |
memory/6080-498-0x00007FFE35340000-0x00007FFE35E01000-memory.dmp
memory/6036-499-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/6080-501-0x00007FFE35340000-0x00007FFE35E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 82f2c41e19c217b50634b0c6b1e8f2b3 |
| SHA1 | b590a7142849df470c23e58b5b3113e2dafe4dd9 |
| SHA256 | 26b0cae308543030b21bdf2b069292c133823d59dfcdb9e75801d4b90d8caa96 |
| SHA512 | a70669b1ae1171acbd8cb051ce9ea9275aa93864cdb78bfb87ee4bf8ac3e9a7219bad0ea6847bd051d0fb35739c1a2307b0a61a137377d22e7fac570b8ac2d50 |
memory/5948-511-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c6e55892008adbd57be1b8a1129bbfbc |
| SHA1 | 05bae2a002a0f50469af4b85f835328c1290e217 |
| SHA256 | 7a293b839dc4e1b3edd9fea8e34b9dc0ffa0439310ae25916c9eb8a81e1ab925 |
| SHA512 | 87885c796ed0355e4c50605abc357200c79e06bf8e4a1fc4574548a3df8bec05da9e9bc00363586fb3b8c854ebf2c5b58605925962f217d3f169cf43bd8bdf6e |
memory/5948-530-0x0000000007210000-0x0000000007220000-memory.dmp
memory/5380-533-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/5380-534-0x0000000000E10000-0x0000000001D3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
memory/4940-557-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4940-558-0x0000000000D90000-0x00000000012A6000-memory.dmp
memory/4940-565-0x0000000005B70000-0x0000000005B80000-memory.dmp
memory/5380-566-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/4940-568-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/4940-567-0x0000000005DC0000-0x0000000005E5C000-memory.dmp
memory/5208-571-0x00000000024F0000-0x00000000024F9000-memory.dmp
memory/5208-572-0x00000000025E0000-0x00000000026E0000-memory.dmp
memory/1720-574-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4108-573-0x0000000004340000-0x0000000004740000-memory.dmp
memory/4108-575-0x0000000004740000-0x000000000502B000-memory.dmp
memory/1720-576-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4940-577-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 990667ca89e2fece1b1f69595dbdd3ac |
| SHA1 | 4f154850ccf23ae21a8e6600d4dae98533862b6f |
| SHA256 | dfe67f14a380e50b49a7b84ae8079f139796d9f40aae3b20359c6d41203e68a7 |
| SHA512 | 621c27ebd66c41cbf72c15e7a94788a848dce868b14909435a8d46934138d05d17a8c5904225844254bfd951c27484be4cc8f498e4bd77b0bcfe9b6e7de04420 |
memory/4108-587-0x0000000000400000-0x000000000266D000-memory.dmp
memory/4940-588-0x0000000005B70000-0x0000000005B80000-memory.dmp
memory/3116-589-0x0000000003050000-0x0000000003086000-memory.dmp
memory/3116-590-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3116-603-0x00000000059F0000-0x0000000006018000-memory.dmp
memory/3172-600-0x0000000006E70000-0x0000000006E86000-memory.dmp
memory/1720-601-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f7905136deb6ff7069528fe32c85a9ba |
| SHA1 | e801804e17e995ce315d91801471acdc223efad2 |
| SHA256 | 341573550b02579b3583eb4e130e04cc862f55645dc61166c44b648602416012 |
| SHA512 | 9086e6dad0f92f6b3dfbe0b5c50639ef75394c8b4f20df68626d9547dbac2024854a3d50ea3e7633bf97ac70493f60e4540626a8751b90fd72c5b9bbcd821a3c |
memory/3116-615-0x0000000005870000-0x0000000005892000-memory.dmp
memory/3116-621-0x0000000005920000-0x0000000005986000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_351qhmqy.k0f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3116-622-0x0000000006090000-0x00000000060F6000-memory.dmp
memory/3116-627-0x0000000006200000-0x0000000006554000-memory.dmp
memory/3116-628-0x0000000006620000-0x000000000663E000-memory.dmp
memory/4108-629-0x0000000004340000-0x0000000004740000-memory.dmp
memory/3116-631-0x0000000007810000-0x0000000007854000-memory.dmp
memory/4108-630-0x0000000000400000-0x000000000266D000-memory.dmp
memory/6008-632-0x00007FF7CCCE0000-0x00007FF7CD281000-memory.dmp
memory/4108-635-0x0000000004740000-0x000000000502B000-memory.dmp
memory/3116-636-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/4940-640-0x0000000005FF0000-0x0000000006005000-memory.dmp
memory/4940-641-0x0000000005FF0000-0x0000000006005000-memory.dmp
memory/4940-644-0x0000000005FF0000-0x0000000006005000-memory.dmp
memory/4940-646-0x0000000005FF0000-0x0000000006005000-memory.dmp
memory/4820-649-0x00000000020A0000-0x00000000020FA000-memory.dmp
memory/4940-650-0x0000000005FF0000-0x0000000006005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB199.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpB1CE.tmp
| MD5 | 9a24ca06da9fb8f5735570a0381ab5a2 |
| SHA1 | 27bdb2f2456cefc0b3e19d9be0a0dd64cc13d5de |
| SHA256 | 9ef3c0aca07106effa1ad59c2c80e27225b2dd0808d588702dcf1a24d5f5fe00 |
| SHA512 | dd8ef799db6b1812c26ddc76b51e0ea3bbd5acde4e470a5e1152868e1aa55aa83b7370486f2d09158ffeda7dc8d95a2b071fe6bd086118efdb2b0d361cbf5183 |
C:\Users\Admin\AppData\Local\Temp\tmpB209.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpB230.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpB20F.tmp
| MD5 | ef0302d09e6704625922099656155a09 |
| SHA1 | 1d20e5be20e15de7be259c6d94597e8bb04b3e0e |
| SHA256 | 3991b1953b9de534ffc22d5b13caecc0c62bedf780a523c0c58cc50720a3f5fa |
| SHA512 | f58c7d55822bda655a6d35b0455a06fc4c5169925059ab8d46e33c1989764ff36bf45e9593da19fccbd4bafc14e86148a95abe77a08b252696ce1e45ef829122 |
C:\Users\Admin\AppData\Local\Temp\tmpB26B.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |