Malware Analysis Report

2025-01-23 09:02

Sample ID 231010-yzzhgagh4t
Target file.exe
SHA256 0e54c70579ab94484e32e48e778022ed34ac0080972030732e53353c1d595f2b
Tags
evasion persistence trojan amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor discovery dropper infostealer loader rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e54c70579ab94484e32e48e778022ed34ac0080972030732e53353c1d595f2b

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor discovery dropper infostealer loader rat rootkit spyware stealer

Detects Healer an antivirus disabler dropper

RedLine

SmokeLoader

Glupteba

Modifies Windows Defender Real-time Protection settings

SectopRAT payload

SectopRAT

Amadey

RedLine payload

Glupteba payload

DcRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Healer

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Modifies data under HKEY_USERS

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:14

Reported

2023-10-10 20:16

Platform

win7-20230831-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2968 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 3028 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 268

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

MD5 575d329c11121622a10119820c2e6196
SHA1 1cd5cd02d2b5c2c355fd8a1ba23958157ce9005e
SHA256 a0a8b719ec298c8b5f591e1ec4cd7ffc23e56fe6c7e1381ae877f2605d82fd03
SHA512 3c1687eab12049315bcb54d137b1356b59eaef4dcc00883a0bca965f662db88c58ba99afce7869ead202de6b07d45b695f3e405c1818917b9315f4da7531d729

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

MD5 575d329c11121622a10119820c2e6196
SHA1 1cd5cd02d2b5c2c355fd8a1ba23958157ce9005e
SHA256 a0a8b719ec298c8b5f591e1ec4cd7ffc23e56fe6c7e1381ae877f2605d82fd03
SHA512 3c1687eab12049315bcb54d137b1356b59eaef4dcc00883a0bca965f662db88c58ba99afce7869ead202de6b07d45b695f3e405c1818917b9315f4da7531d729

\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

MD5 575d329c11121622a10119820c2e6196
SHA1 1cd5cd02d2b5c2c355fd8a1ba23958157ce9005e
SHA256 a0a8b719ec298c8b5f591e1ec4cd7ffc23e56fe6c7e1381ae877f2605d82fd03
SHA512 3c1687eab12049315bcb54d137b1356b59eaef4dcc00883a0bca965f662db88c58ba99afce7869ead202de6b07d45b695f3e405c1818917b9315f4da7531d729

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

MD5 575d329c11121622a10119820c2e6196
SHA1 1cd5cd02d2b5c2c355fd8a1ba23958157ce9005e
SHA256 a0a8b719ec298c8b5f591e1ec4cd7ffc23e56fe6c7e1381ae877f2605d82fd03
SHA512 3c1687eab12049315bcb54d137b1356b59eaef4dcc00883a0bca965f662db88c58ba99afce7869ead202de6b07d45b695f3e405c1818917b9315f4da7531d729

\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

MD5 2cb67dcc49dc6f091570f981c35415c1
SHA1 60213cf91476ecd68c6dbcbddb65f93c3d8a1a65
SHA256 6d0413fc38223a3c5e503bed67962503d3dafdf621bd7afd2a4e70a6f5788cb4
SHA512 4b81d2685f08d624123eb1060570a5a8cf659424a1ec00dd9afc91b7e056ed6fcc4f5980feff82aeab7b1a7ec3da1ee23b93508053d5f4eb1cfc98039e6b94af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

MD5 2cb67dcc49dc6f091570f981c35415c1
SHA1 60213cf91476ecd68c6dbcbddb65f93c3d8a1a65
SHA256 6d0413fc38223a3c5e503bed67962503d3dafdf621bd7afd2a4e70a6f5788cb4
SHA512 4b81d2685f08d624123eb1060570a5a8cf659424a1ec00dd9afc91b7e056ed6fcc4f5980feff82aeab7b1a7ec3da1ee23b93508053d5f4eb1cfc98039e6b94af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

MD5 2cb67dcc49dc6f091570f981c35415c1
SHA1 60213cf91476ecd68c6dbcbddb65f93c3d8a1a65
SHA256 6d0413fc38223a3c5e503bed67962503d3dafdf621bd7afd2a4e70a6f5788cb4
SHA512 4b81d2685f08d624123eb1060570a5a8cf659424a1ec00dd9afc91b7e056ed6fcc4f5980feff82aeab7b1a7ec3da1ee23b93508053d5f4eb1cfc98039e6b94af

\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

MD5 2cb67dcc49dc6f091570f981c35415c1
SHA1 60213cf91476ecd68c6dbcbddb65f93c3d8a1a65
SHA256 6d0413fc38223a3c5e503bed67962503d3dafdf621bd7afd2a4e70a6f5788cb4
SHA512 4b81d2685f08d624123eb1060570a5a8cf659424a1ec00dd9afc91b7e056ed6fcc4f5980feff82aeab7b1a7ec3da1ee23b93508053d5f4eb1cfc98039e6b94af

\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

MD5 f339996cffd03515b418b8e4084a08cf
SHA1 294522cb021c181418874a14432d30b287730b74
SHA256 5c0f3631cabefe63c19b66377fe3e48c0921d463188024ba60c815b7b7d436f1
SHA512 3f35e5687b8dee166d51756f615f61bd373c591adf15dc1d0dc974852f537bca1817d6e01d5cb0244a7050ab41b963e9822c1cc061ce81d56a169bb1740f82ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

MD5 f339996cffd03515b418b8e4084a08cf
SHA1 294522cb021c181418874a14432d30b287730b74
SHA256 5c0f3631cabefe63c19b66377fe3e48c0921d463188024ba60c815b7b7d436f1
SHA512 3f35e5687b8dee166d51756f615f61bd373c591adf15dc1d0dc974852f537bca1817d6e01d5cb0244a7050ab41b963e9822c1cc061ce81d56a169bb1740f82ed

\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

MD5 f339996cffd03515b418b8e4084a08cf
SHA1 294522cb021c181418874a14432d30b287730b74
SHA256 5c0f3631cabefe63c19b66377fe3e48c0921d463188024ba60c815b7b7d436f1
SHA512 3f35e5687b8dee166d51756f615f61bd373c591adf15dc1d0dc974852f537bca1817d6e01d5cb0244a7050ab41b963e9822c1cc061ce81d56a169bb1740f82ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

MD5 f339996cffd03515b418b8e4084a08cf
SHA1 294522cb021c181418874a14432d30b287730b74
SHA256 5c0f3631cabefe63c19b66377fe3e48c0921d463188024ba60c815b7b7d436f1
SHA512 3f35e5687b8dee166d51756f615f61bd373c591adf15dc1d0dc974852f537bca1817d6e01d5cb0244a7050ab41b963e9822c1cc061ce81d56a169bb1740f82ed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2772-40-0x00000000008D0000-0x00000000008EE000-memory.dmp

memory/2772-41-0x0000000000A50000-0x0000000000A6C000-memory.dmp

memory/2772-42-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-43-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-45-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-47-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-49-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-51-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-53-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-55-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-57-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-59-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-61-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-63-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-69-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-67-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2772-65-0x0000000000A50000-0x0000000000A66000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

memory/2976-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2976-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-87-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:14

Reported

2023-10-10 20:16

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\850C.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8B96.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CB7F.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\826A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn8ax5LL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xA4CA7qI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS3dA3lQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO4ku8QT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\850C.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1wY70qY8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87FB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8B96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jw606Sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CB7F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D19A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D380.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D7F5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D19A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D19A.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\826A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn8ax5LL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO4ku8QT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xA4CA7qI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS3dA3lQ.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\89C1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D380.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D7F5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 1740 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 1740 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe
PID 452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe
PID 3016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 3016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe
PID 2060 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2060 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2060 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe
PID 2060 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2060 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 2060 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3016 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe
PID 3016 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe
PID 3016 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe
PID 4976 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4976 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4976 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4976 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4976 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4976 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 452 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe
PID 452 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe
PID 452 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1740 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe
PID 1740 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe
PID 1740 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe
PID 3160 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe C:\Windows\system32\cmd.exe
PID 3876 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3876 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3876 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3876 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2500 -ip 2500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3476 -ip 3476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BAF.tmp\2BB0.tmp\2BB1.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe408b46f8,0x7ffe408b4708,0x7ffe408b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe408b46f8,0x7ffe408b4708,0x7ffe408b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,5845900172404032576,1086957522509139282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,5845900172404032576,1086957522509139282,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\826A.exe

C:\Users\Admin\AppData\Local\Temp\826A.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn8ax5LL.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn8ax5LL.exe

C:\Users\Admin\AppData\Local\Temp\83C2.exe

C:\Users\Admin\AppData\Local\Temp\83C2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xA4CA7qI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xA4CA7qI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS3dA3lQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS3dA3lQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO4ku8QT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO4ku8QT.exe

C:\Users\Admin\AppData\Local\Temp\850C.bat

"C:\Users\Admin\AppData\Local\Temp\850C.bat"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1wY70qY8.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1wY70qY8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2400 -ip 2400

C:\Users\Admin\AppData\Local\Temp\87FB.exe

C:\Users\Admin\AppData\Local\Temp\87FB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 224

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8632.tmp\8633.tmp\8634.bat C:\Users\Admin\AppData\Local\Temp\850C.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5188 -ip 5188

C:\Users\Admin\AppData\Local\Temp\89C1.exe

C:\Users\Admin\AppData\Local\Temp\89C1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5392 -ip 5392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 600

C:\Users\Admin\AppData\Local\Temp\8B96.exe

C:\Users\Admin\AppData\Local\Temp\8B96.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5312 -ip 5312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 416

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jw606Sc.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jw606Sc.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe408b46f8,0x7ffe408b4708,0x7ffe408b4718

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe408b46f8,0x7ffe408b4708,0x7ffe408b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7912950886428098569,429688868500945082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\CB7F.exe

C:\Users\Admin\AppData\Local\Temp\CB7F.exe

C:\Users\Admin\AppData\Local\Temp\D19A.exe

C:\Users\Admin\AppData\Local\Temp\D19A.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\D380.exe

C:\Users\Admin\AppData\Local\Temp\D380.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\D7F5.exe

C:\Users\Admin\AppData\Local\Temp\D7F5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3124 -ip 3124

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 188.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 dcda1779-c726-49b3-9413-5cf8216e9b92.uuid.cdntokiog.studio udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 server16.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server16.cdntokiog.studio tcp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

MD5 575d329c11121622a10119820c2e6196
SHA1 1cd5cd02d2b5c2c355fd8a1ba23958157ce9005e
SHA256 a0a8b719ec298c8b5f591e1ec4cd7ffc23e56fe6c7e1381ae877f2605d82fd03
SHA512 3c1687eab12049315bcb54d137b1356b59eaef4dcc00883a0bca965f662db88c58ba99afce7869ead202de6b07d45b695f3e405c1818917b9315f4da7531d729

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MD7ls81.exe

MD5 575d329c11121622a10119820c2e6196
SHA1 1cd5cd02d2b5c2c355fd8a1ba23958157ce9005e
SHA256 a0a8b719ec298c8b5f591e1ec4cd7ffc23e56fe6c7e1381ae877f2605d82fd03
SHA512 3c1687eab12049315bcb54d137b1356b59eaef4dcc00883a0bca965f662db88c58ba99afce7869ead202de6b07d45b695f3e405c1818917b9315f4da7531d729

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

MD5 2cb67dcc49dc6f091570f981c35415c1
SHA1 60213cf91476ecd68c6dbcbddb65f93c3d8a1a65
SHA256 6d0413fc38223a3c5e503bed67962503d3dafdf621bd7afd2a4e70a6f5788cb4
SHA512 4b81d2685f08d624123eb1060570a5a8cf659424a1ec00dd9afc91b7e056ed6fcc4f5980feff82aeab7b1a7ec3da1ee23b93508053d5f4eb1cfc98039e6b94af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU6bt02.exe

MD5 2cb67dcc49dc6f091570f981c35415c1
SHA1 60213cf91476ecd68c6dbcbddb65f93c3d8a1a65
SHA256 6d0413fc38223a3c5e503bed67962503d3dafdf621bd7afd2a4e70a6f5788cb4
SHA512 4b81d2685f08d624123eb1060570a5a8cf659424a1ec00dd9afc91b7e056ed6fcc4f5980feff82aeab7b1a7ec3da1ee23b93508053d5f4eb1cfc98039e6b94af

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

MD5 f339996cffd03515b418b8e4084a08cf
SHA1 294522cb021c181418874a14432d30b287730b74
SHA256 5c0f3631cabefe63c19b66377fe3e48c0921d463188024ba60c815b7b7d436f1
SHA512 3f35e5687b8dee166d51756f615f61bd373c591adf15dc1d0dc974852f537bca1817d6e01d5cb0244a7050ab41b963e9822c1cc061ce81d56a169bb1740f82ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iU0SD93.exe

MD5 f339996cffd03515b418b8e4084a08cf
SHA1 294522cb021c181418874a14432d30b287730b74
SHA256 5c0f3631cabefe63c19b66377fe3e48c0921d463188024ba60c815b7b7d436f1
SHA512 3f35e5687b8dee166d51756f615f61bd373c591adf15dc1d0dc974852f537bca1817d6e01d5cb0244a7050ab41b963e9822c1cc061ce81d56a169bb1740f82ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dW85AA7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2476-29-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2476-28-0x0000000002410000-0x000000000242E000-memory.dmp

memory/2476-30-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/2476-31-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/2476-32-0x0000000004B30000-0x00000000050D4000-memory.dmp

memory/2476-33-0x0000000004AE0000-0x0000000004AFC000-memory.dmp

memory/2476-34-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-35-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-37-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-39-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-41-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-43-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-45-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-49-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-47-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-51-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-53-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-55-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-57-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-59-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-61-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

memory/2476-62-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2476-63-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/2476-64-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/2476-66-0x0000000074290000-0x0000000074A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Kh7249.exe

MD5 87ec79f7a935ac18452e8bf14cee3eaa
SHA1 44ba683c6cf7e938d90f7c01d6fa8f39831c2e22
SHA256 15ac5f7e5fb930fdc48a83d67b79e669a7ebdaed45bbc394c0fddc3ff57d7532
SHA512 a9198d48d3b62a7bc3d0e53b546c41876326ab51406cea1aebadc49aec4c879e8e037686dd3ffabab304e2f66f30ce3f294f63b4054e889269fd5780b1b1f181

memory/2500-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-74-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe

MD5 f69552df1a829f2b97bdd763880dcbba
SHA1 213330e955f9fddaf74b1b08704f07fa298c86d4
SHA256 8e32a280887d33dbdad912c2bc79b3abc97cf0c1289c7d51e84471841a71eb22
SHA512 02ec59179a8815489951b2b459fa580e70fad2200de670b10f1494b6517e1c385ce7e6bbd34912f19c13defb9144299cccce469db82e308807499c1399590399

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uz77xT.exe

MD5 f69552df1a829f2b97bdd763880dcbba
SHA1 213330e955f9fddaf74b1b08704f07fa298c86d4
SHA256 8e32a280887d33dbdad912c2bc79b3abc97cf0c1289c7d51e84471841a71eb22
SHA512 02ec59179a8815489951b2b459fa580e70fad2200de670b10f1494b6517e1c385ce7e6bbd34912f19c13defb9144299cccce469db82e308807499c1399590399

memory/1816-78-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1816-79-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe

MD5 02ff7b6ab0166ce70c7a12c5552e00be
SHA1 9d266ab22b438fc8092e7816557196a0e546e24a
SHA256 0a905d1a49ca8141cd03947a03ebd34d5dadaadf2c5ea952ac8125c877ff1644
SHA512 13eec7921721560c318c6f7b1503501e9e91922f4a730a2f0b2b9d143e56392c3e2f9d8084439b4829fad3f925f9b464f346c9fa4673af4622f452a9e9af3cbe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qO260Eb.exe

MD5 02ff7b6ab0166ce70c7a12c5552e00be
SHA1 9d266ab22b438fc8092e7816557196a0e546e24a
SHA256 0a905d1a49ca8141cd03947a03ebd34d5dadaadf2c5ea952ac8125c877ff1644
SHA512 13eec7921721560c318c6f7b1503501e9e91922f4a730a2f0b2b9d143e56392c3e2f9d8084439b4829fad3f925f9b464f346c9fa4673af4622f452a9e9af3cbe

memory/4708-83-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4708-84-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/4708-85-0x00000000076C0000-0x0000000007752000-memory.dmp

memory/4708-86-0x00000000078E0000-0x00000000078F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe

MD5 410ebb6ade8eaf6e573b95a9ff1dd46b
SHA1 da2f88e48787b879b80bc57fbea107eaf0a29679
SHA256 a0a78bd6b4dc30e21508c3811a173ff2b28c38c1f9fda0048084a5c29dc43170
SHA512 95bc84c67ea35a4605f284a79da388645ade68531d4621b81895f3b16a53a80a928f78edd6ce1220f8c3764bf82168dbe2695d206ef1b0744aeebaae4694a53e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wE8yX0.exe

MD5 410ebb6ade8eaf6e573b95a9ff1dd46b
SHA1 da2f88e48787b879b80bc57fbea107eaf0a29679
SHA256 a0a78bd6b4dc30e21508c3811a173ff2b28c38c1f9fda0048084a5c29dc43170
SHA512 95bc84c67ea35a4605f284a79da388645ade68531d4621b81895f3b16a53a80a928f78edd6ce1220f8c3764bf82168dbe2695d206ef1b0744aeebaae4694a53e

memory/4708-91-0x0000000007860000-0x000000000786A000-memory.dmp

memory/4708-92-0x00000000087A0000-0x0000000008DB8000-memory.dmp

memory/4708-93-0x0000000007A20000-0x0000000007B2A000-memory.dmp

memory/4708-94-0x0000000007950000-0x0000000007962000-memory.dmp

memory/4708-95-0x00000000079B0000-0x00000000079EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BAF.tmp\2BB0.tmp\2BB1.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/4708-97-0x0000000007B30000-0x0000000007B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0987267c265b2de204ac19d29250d6cd
SHA1 247b7b1e917d9ad2aa903a497758ae75ae145692
SHA256 474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264
SHA512 3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

\??\pipe\LOCAL\crashpad_3384_QSAWTQCBEUABNHZY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

\??\pipe\LOCAL\crashpad_4156_AKPZZSZIJQCVJYDF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 619cc103d9b211492214653fcbe17ce2
SHA1 ba7ae27ca7ed4544fae448166bc748a16316d0c3
SHA256 eb687730a736dbfe695bb80127879763db13cc58569f85855de0656b01964fda
SHA512 229ef973678f23d04ca5e3875b37583eb77f4cc0d5ce3258ae5c79a982b52588152010d70b7c218830057e7add98527821b68c6354bcea807befe817cc709d0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c08a900edcec5c8f8e9468acbe737da2
SHA1 bd1ac3f52867eb899f847273d52c04d4516ad81e
SHA256 a554d4e2856444bc7f31b4f8b88457ca1d1406574141df126756b7a4c4b3d153
SHA512 8d55639849e7df9fac16f6cfba1f368c635a61f5dbaa3d4eb6c599236c35c3691c12ea74ecd6d0dd588cd74de63fd68ba51544b59285a3702c4a45cf2d092c61

memory/2684-148-0x00000000036C0000-0x00000000036D6000-memory.dmp

memory/1816-150-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4708-251-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/4708-256-0x00000000078E0000-0x00000000078F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 050a8e93214219412a48ac852f7fd22b
SHA1 284a6b662b7cc949e938599ce1fdbeceb4b6caf7
SHA256 007bc627fafb9180669e810cf6d41e9691131b2f85f79f1691c5ac2cc2971fcc
SHA512 1a99b5f43ee9f17bfb181a43e196f8621736f7b83ca638d055942a38dbdd487eb349a1e2c53c9e008d66f7de1c000db5189a52c018c1ad77ea9d8ca1e3d43ae9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 619cc103d9b211492214653fcbe17ce2
SHA1 ba7ae27ca7ed4544fae448166bc748a16316d0c3
SHA256 eb687730a736dbfe695bb80127879763db13cc58569f85855de0656b01964fda
SHA512 229ef973678f23d04ca5e3875b37583eb77f4cc0d5ce3258ae5c79a982b52588152010d70b7c218830057e7add98527821b68c6354bcea807befe817cc709d0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ff4c15e73a07e9a5318182460a908fce
SHA1 0125fa79f9958f23f359f53f1a819251d064dc76
SHA256 301bdf696af7daa0668b7550dc5eb07f0830c302539dd4ce67571b3128b8e563
SHA512 69e955a4306db2dc7c5c92f752e732ef255b20424a9763fac1e8d07dc5cbb81c7162280be557527570fe417271805743e512f393077439891868dfe833dec66a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 4a078fb8a7c67594a6c2aa724e2ac684
SHA1 92bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256 c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512 188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\826A.exe

MD5 89b44b6dd1abccf5a62b9e8c269ea551
SHA1 ae07569a8cec4044cc1ac96ad54395115dd2c26d
SHA256 745b651bad3e1cfc07764eae1e23d6c7406864b7ff8b55a314da37a4a1ee11b3
SHA512 e9cc2ebebaee183f4e3f1ccf2fd71b5b27c8d1e620d1817aa9a64fa963c870c118fe6d953b52cfcde337a438693696c73a835417e34a85d45311026fde03e5ae

C:\Users\Admin\AppData\Local\Temp\826A.exe

MD5 89b44b6dd1abccf5a62b9e8c269ea551
SHA1 ae07569a8cec4044cc1ac96ad54395115dd2c26d
SHA256 745b651bad3e1cfc07764eae1e23d6c7406864b7ff8b55a314da37a4a1ee11b3
SHA512 e9cc2ebebaee183f4e3f1ccf2fd71b5b27c8d1e620d1817aa9a64fa963c870c118fe6d953b52cfcde337a438693696c73a835417e34a85d45311026fde03e5ae

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WN25bw.exe

MD5 b0711d95988cf69fde15564d88e06d52
SHA1 38e3d7109b54e5ff4d762431366b74c31d7fac4c
SHA256 f69d1004c1b80988168ee0c9b7e2e84bbb56797396c12f19564aa6a860ce38b7
SHA512 e3dd73df569898dc53ba660108bf108d80f898d5a7b5f8aa2d743719d3f8c85364f41f01db3ec36dcaf4ac8a75313fb169d72ce4575b9d74d62de1cb16f373ff

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn8ax5LL.exe

MD5 d5a48dd6094b020d024935a3bc1a1fc7
SHA1 6941587c9990a19bf53c46173d90142e6f90187a
SHA256 2f56f9d9b2ecc4817e8e3b33ce750006f34def4025b29ddb8b2b253892027e8f
SHA512 932e3ebdbbcf25870faa14cb5a5948cab0ac0b64d2be7779d32abe2a7bfcd04510868b554119eec4ac5655eb329a9c677de6df9ff58a470f42007ae01a5e6336

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn8ax5LL.exe

MD5 d5a48dd6094b020d024935a3bc1a1fc7
SHA1 6941587c9990a19bf53c46173d90142e6f90187a
SHA256 2f56f9d9b2ecc4817e8e3b33ce750006f34def4025b29ddb8b2b253892027e8f
SHA512 932e3ebdbbcf25870faa14cb5a5948cab0ac0b64d2be7779d32abe2a7bfcd04510868b554119eec4ac5655eb329a9c677de6df9ff58a470f42007ae01a5e6336

C:\Users\Admin\AppData\Local\Temp\83C2.exe

MD5 8b0ed4666bd91b0e8ca8ee91d9c144d1
SHA1 250c579a942cf326c980616612c4abaa1ec405a1
SHA256 d6787d595054e8fdab1a134e7832ec96629fa074aa14f8e819b873dbd7a8f79e
SHA512 e1b05d107d11e35cf912541d18e81a4487143d456579ba8714b82c7c40bfe9a4de28a4435c36fc1fa27ae498ff6fcd1525b5a579108ba0433c7131aec15500ad

C:\Users\Admin\AppData\Local\Temp\83C2.exe

MD5 8b0ed4666bd91b0e8ca8ee91d9c144d1
SHA1 250c579a942cf326c980616612c4abaa1ec405a1
SHA256 d6787d595054e8fdab1a134e7832ec96629fa074aa14f8e819b873dbd7a8f79e
SHA512 e1b05d107d11e35cf912541d18e81a4487143d456579ba8714b82c7c40bfe9a4de28a4435c36fc1fa27ae498ff6fcd1525b5a579108ba0433c7131aec15500ad

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xA4CA7qI.exe

MD5 6461c41fa28501b6672f08ff33caea3b
SHA1 44832f25868e3b4c30d83332024f7ab83da57a60
SHA256 a49a85c698fbdbcd173b31b21e3cebce2acbde872af00a887839bd482a64b72d
SHA512 221123d6cb3d926d840fa6248f7d0afcfc9833dec457061bf3d9ce85cd32c39920ceea41c239a81abfc7829c22846342490e71f4093204b95025b745e511fae5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xA4CA7qI.exe

MD5 6461c41fa28501b6672f08ff33caea3b
SHA1 44832f25868e3b4c30d83332024f7ab83da57a60
SHA256 a49a85c698fbdbcd173b31b21e3cebce2acbde872af00a887839bd482a64b72d
SHA512 221123d6cb3d926d840fa6248f7d0afcfc9833dec457061bf3d9ce85cd32c39920ceea41c239a81abfc7829c22846342490e71f4093204b95025b745e511fae5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS3dA3lQ.exe

MD5 dd8145fdb4d80155d612de21c4ebe518
SHA1 0982d92f955ceb752ee503b0fd5822e633df8e6c
SHA256 c88f63528c80c2dc88aa5da80c7c35b3f8b2de3beaeea8e7759c52bd983b6088
SHA512 3acc51db814f847aa2701d8e56f8fd7605ad08bc0d46ad3888f42917ffedd6337b1ecb4ac4c60b4bb1f906c2b30a3d246f51fb7d25b8a47453e7debb3106723b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS3dA3lQ.exe

MD5 dd8145fdb4d80155d612de21c4ebe518
SHA1 0982d92f955ceb752ee503b0fd5822e633df8e6c
SHA256 c88f63528c80c2dc88aa5da80c7c35b3f8b2de3beaeea8e7759c52bd983b6088
SHA512 3acc51db814f847aa2701d8e56f8fd7605ad08bc0d46ad3888f42917ffedd6337b1ecb4ac4c60b4bb1f906c2b30a3d246f51fb7d25b8a47453e7debb3106723b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO4ku8QT.exe

MD5 af1c81bfdb59f14d7d7e6d1a2d94112b
SHA1 14d2abe6756ce57f0fd79f62eef31232ce9a5747
SHA256 042484a1d9b834fbe4b7902ae77086e34af5badaf29933da665a30c42589042a
SHA512 b3f203db665d947c283a4e39855a58b425d1095da136ebf8a41aaa3ed4c2e9dccd33fb40274b919d541c786fe48cf6f3b03899930b9f260a016eec8deed413b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1wY70qY8.exe

MD5 8b0ed4666bd91b0e8ca8ee91d9c144d1
SHA1 250c579a942cf326c980616612c4abaa1ec405a1
SHA256 d6787d595054e8fdab1a134e7832ec96629fa074aa14f8e819b873dbd7a8f79e
SHA512 e1b05d107d11e35cf912541d18e81a4487143d456579ba8714b82c7c40bfe9a4de28a4435c36fc1fa27ae498ff6fcd1525b5a579108ba0433c7131aec15500ad

C:\Users\Admin\AppData\Local\Temp\850C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1wY70qY8.exe

MD5 8b0ed4666bd91b0e8ca8ee91d9c144d1
SHA1 250c579a942cf326c980616612c4abaa1ec405a1
SHA256 d6787d595054e8fdab1a134e7832ec96629fa074aa14f8e819b873dbd7a8f79e
SHA512 e1b05d107d11e35cf912541d18e81a4487143d456579ba8714b82c7c40bfe9a4de28a4435c36fc1fa27ae498ff6fcd1525b5a579108ba0433c7131aec15500ad

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1wY70qY8.exe

MD5 8b0ed4666bd91b0e8ca8ee91d9c144d1
SHA1 250c579a942cf326c980616612c4abaa1ec405a1
SHA256 d6787d595054e8fdab1a134e7832ec96629fa074aa14f8e819b873dbd7a8f79e
SHA512 e1b05d107d11e35cf912541d18e81a4487143d456579ba8714b82c7c40bfe9a4de28a4435c36fc1fa27ae498ff6fcd1525b5a579108ba0433c7131aec15500ad

C:\Users\Admin\AppData\Local\Temp\850C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO4ku8QT.exe

MD5 af1c81bfdb59f14d7d7e6d1a2d94112b
SHA1 14d2abe6756ce57f0fd79f62eef31232ce9a5747
SHA256 042484a1d9b834fbe4b7902ae77086e34af5badaf29933da665a30c42589042a
SHA512 b3f203db665d947c283a4e39855a58b425d1095da136ebf8a41aaa3ed4c2e9dccd33fb40274b919d541c786fe48cf6f3b03899930b9f260a016eec8deed413b1

memory/5264-338-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5264-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5264-342-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87FB.exe

MD5 c640e1bbaa4a6a762507a7b95bc35cfe
SHA1 517a996179be849a6d3ab9da9f0072d5eec1adda
SHA256 07d9da4fed04ca2a1ade4eb8783ecd814f5141e3583953b13a013cb27831dace
SHA512 ae33d80f9e24d016f8556c406b37cf7bdb2b401105324a36d43918e3a2ab8e5f97233399659d921c43dacd600a952f63fb89d220e804e534704d5980871c6117

C:\Users\Admin\AppData\Local\Temp\87FB.exe

MD5 c640e1bbaa4a6a762507a7b95bc35cfe
SHA1 517a996179be849a6d3ab9da9f0072d5eec1adda
SHA256 07d9da4fed04ca2a1ade4eb8783ecd814f5141e3583953b13a013cb27831dace
SHA512 ae33d80f9e24d016f8556c406b37cf7bdb2b401105324a36d43918e3a2ab8e5f97233399659d921c43dacd600a952f63fb89d220e804e534704d5980871c6117

memory/5392-346-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5392-347-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89C1.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\89C1.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/5392-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5476-353-0x0000000000D60000-0x0000000000D6A000-memory.dmp

memory/5476-355-0x00007FFE33900000-0x00007FFE343C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B96.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\8B96.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5264-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5664-364-0x0000000073F70000-0x0000000074720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8632.tmp\8633.tmp\8634.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5664-370-0x0000000007A10000-0x0000000007A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jw606Sc.exe

MD5 99746d73f0c2ffc6c1940cbdffb9af5b
SHA1 17105b0ef3f79169ab20eeda3244d81b2c325513
SHA256 c6375485628cd832d206747cc685e2ca8dcf7cfbb373c13e0bb4f025a2709d01
SHA512 63d26b81d723ff539881474525bed935c5b0c10af755e730d9d68c4d09c56e804fb7a967c2ce12310b2f908f223744f3e8ccf9818e435f41a1aa032f641e0840

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jw606Sc.exe

MD5 99746d73f0c2ffc6c1940cbdffb9af5b
SHA1 17105b0ef3f79169ab20eeda3244d81b2c325513
SHA256 c6375485628cd832d206747cc685e2ca8dcf7cfbb373c13e0bb4f025a2709d01
SHA512 63d26b81d723ff539881474525bed935c5b0c10af755e730d9d68c4d09c56e804fb7a967c2ce12310b2f908f223744f3e8ccf9818e435f41a1aa032f641e0840

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 48debd073f10b6b1d0da93113430bc4b
SHA1 59f7430809b93740a5ea179bd7b9374569e1b5ef
SHA256 f393dd0179ee4a17b4bc34d719e8d579dbebc4327666867fd368bcd65ef62de1
SHA512 ee395c2e9f09d0e402ba07fc3b952038bc64164f5dfe11f8ef21dd39c589a17677bb9588e4a819e62b5b42ae26fdfc6c141a1381ae1fb0c8a12034d75fbd7801

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5836-382-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5836-383-0x0000000000B30000-0x0000000000B6E000-memory.dmp

memory/5836-384-0x0000000007A60000-0x0000000007A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/5476-507-0x00007FFE33900000-0x00007FFE343C1000-memory.dmp

memory/5664-511-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5476-513-0x00007FFE33900000-0x00007FFE343C1000-memory.dmp

memory/5664-514-0x0000000007A10000-0x0000000007A20000-memory.dmp

memory/5836-515-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5836-516-0x0000000007A60000-0x0000000007A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1dc8cd3eef1d1a34443d3706ed2b6bb4
SHA1 a2edb76701fa02ea51d076d85334181207d60e78
SHA256 e57a327cd91d0df9a2ec5e07e1ad0c2575b117f8558fbd688a455452a5eeb78d
SHA512 4d67bfb1a10cf82d870e3b98f73d0379b2ff49475eca9069c0f4b3d6cbf2e8cf473d01d522809cc60c131512d7bbdf5cb33b0c9dbf1195e774bd3688f791c66b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e0ae27b47faefca8664f0f3d74427f8f
SHA1 8274c038dac250e94900e0ca2711e43ec2adf0f1
SHA256 63e386f2832624653814bb54c1de6b8a051f424bad0db94bbfb2446a9660028a
SHA512 2158823a0f846228d926a8ed8ecf763d15c14428a85abe16899602a3b6be4c696978ee188b48ccf9286673bcb1eb7df691318c613f2e658de052617d5380162c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c36a.TMP

MD5 1593f9bcb667f626d54ae51687d07a9d
SHA1 e102db350e1b899d5339a2539df3edccc28db772
SHA256 2de3ecf36862ab08399befa62744846e75a2f70dabcb1d3d22f4159d2e820900
SHA512 35bf6ff328a197ec3d12ca001450fc6cc6627b90000e0ca7807147bcb8cd8d0234641f9fd2377d282d6019122b8cee2f3d9887b30bb9b6b7fcd2067b82ee39c4

memory/5740-546-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5740-547-0x0000000000EA0000-0x0000000001DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/3124-580-0x0000000000400000-0x000000000046F000-memory.dmp

memory/376-581-0x0000000000760000-0x0000000000C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/376-574-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/3124-583-0x0000000001F70000-0x0000000001FCA000-memory.dmp

memory/376-589-0x0000000005600000-0x0000000005610000-memory.dmp

memory/5740-585-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/376-591-0x0000000005780000-0x000000000581C000-memory.dmp

memory/376-592-0x00000000056D0000-0x00000000056D1000-memory.dmp

memory/3124-593-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5532-594-0x0000000000A50000-0x0000000000A6E000-memory.dmp

memory/2852-595-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/2852-599-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5532-596-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5536-605-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-606-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/5876-604-0x0000000002450000-0x0000000002550000-memory.dmp

memory/5536-607-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-608-0x0000000000870000-0x0000000000880000-memory.dmp

memory/5532-603-0x0000000005270000-0x0000000005280000-memory.dmp

memory/5876-601-0x00000000023F0000-0x00000000023F9000-memory.dmp

memory/376-610-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/6120-611-0x0000000004370000-0x0000000004777000-memory.dmp

memory/6120-612-0x0000000004780000-0x000000000506B000-memory.dmp

memory/3124-613-0x0000000000400000-0x000000000046F000-memory.dmp

memory/6120-614-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e4334b2edd8ceaf6505ba1d998fcd16c
SHA1 fe87669aa70254c1a6fc47f7644d3cc8fd904dae
SHA256 c07cc5f1795f0a101b1a327a2d4b8a1d5122638ce448dd1212c22c39756c7da7
SHA512 37161c2a2f1d012629ae0736dc7cc7c95de659970de9b504a8264be392ff79c9502a4ef2d757ebdc6ea2c7e0cd3cc25713ac2196f7fd274e5cb4ff98023174b7

memory/2852-615-0x0000000005E70000-0x0000000006032000-memory.dmp

memory/2852-625-0x0000000006060000-0x000000000658C000-memory.dmp

memory/2684-628-0x00000000034C0000-0x00000000034D6000-memory.dmp

memory/5536-629-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 30f45340ae84c412d47f510e264fee4d
SHA1 3f999cb1a051d2d6918de7cf60ccadbb022df214
SHA256 b9650bb418a8d3a86902f896ae059eada8c22f3e8066430ea0f3da4192e58387
SHA512 c8d45b9de4bda3230d1266f1a3401056cd687d2a5b858a444c1e758cc881f99d92793967eea3799a1bb87136cd045d0b736142e2317ab0672a7bc2807ba04425

memory/6120-654-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2f7e5890b8c04a42fd3daebe8c93d6d3
SHA1 0b6ab9900a8813beae2cf1b8c0adfc1b71e0b8fc
SHA256 7cad2b6be98c48766b552c9520872b840ccb77d88e9ac357d664484edcdae76e
SHA512 cd6c6f90a83b68237df7bd4298564f776f0ca3e0c411952d96e40e557654f7b8243221b3cb56c1f2cd11a9ca3ac64794e33b4a89a19b8a06c5bbf084fcb27e05

memory/6036-669-0x00007FF6227A0000-0x00007FF622D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp94.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpB9.tmp

MD5 9bea288e5e9ccef093ddee3a5ab588f3
SHA1 02a72684263b4bcd2858f48b0a1aec5d636782e3
SHA256 a77cae820a99813a04bbcf7b80b7a56a03b8d53813b441ef7542e81dcdad3257
SHA512 68f9a928cabfc886131f047b0fe74ba67af5b1082083ae5543ba8b1b3189bdd02f15929736e6cc0c561a02915f29bf58bbc4022e6f823549344d9f14a3c2be07

C:\Users\Admin\AppData\Local\Temp\tmp132.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp177.tmp

MD5 aefc38245e43d4c7f82163259384ec87
SHA1 9ed5fd0eb1507bc43cdfb2ca2c9f3908ea15e880
SHA256 c31b183f4b119612626af7edfc13e9ec1dce352eccb95e81498c5af8dff7e65d
SHA512 9a0797b0ab65eaf7d406f4c5b8e4502d5e152fbd9b921958be368fc3f38ea08f18910505946327ce22b63e36ae60343ba06c87e7469df1c3e99ab69d803e077c

C:\Users\Admin\AppData\Local\Temp\tmp205.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp221.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hombffjt.22i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4