Malware Analysis Report

2025-08-05 19:00

Sample ID 231019-hbcqssed4z
Target d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d
SHA256 d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d
Tags
amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor microsoft discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d

Threat Level: Known bad

The file d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor microsoft discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan

RedLine

SectopRAT payload

Modifies Windows Defender Real-time Protection settings

Glupteba payload

Amadey

RedLine payload

Glupteba

SmokeLoader

DcRat

SectopRAT

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

.NET Reactor proctector

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 06:33

Reported

2023-10-19 06:35

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EA2B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CE90.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CA85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D16F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D364.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D588.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA2B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EBF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EEE0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F181.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EBF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EBF1.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\EEE0.exe'\"" C:\Users\Admin\AppData\Local\Temp\EEE0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C9D8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EBF1.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CD85.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D364.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe
PID 912 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe
PID 912 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe
PID 912 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA85.exe
PID 912 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA85.exe
PID 912 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA85.exe
PID 3092 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe
PID 3092 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe
PID 3092 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\C9D8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe
PID 912 wrote to memory of 2284 N/A N/A C:\Windows\system32\cmd.exe
PID 912 wrote to memory of 2284 N/A N/A C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe
PID 1560 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe
PID 1560 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe
PID 3532 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe
PID 3532 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe
PID 3532 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe
PID 912 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6B.exe
PID 912 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6B.exe
PID 912 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6B.exe
PID 3588 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe
PID 3588 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe
PID 3588 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe
PID 1924 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe
PID 1924 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe
PID 1924 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe
PID 912 wrote to memory of 4796 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD85.exe
PID 912 wrote to memory of 4796 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD85.exe
PID 912 wrote to memory of 4796 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD85.exe
PID 1924 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe
PID 1924 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe
PID 1924 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe
PID 912 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe
PID 912 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe
PID 912 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe
PID 912 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\D16F.exe
PID 912 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\D16F.exe
PID 912 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\D16F.exe
PID 912 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\Temp\D364.exe
PID 912 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\Temp\D364.exe
PID 912 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\Temp\D364.exe
PID 2284 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2284 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 912 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D588.exe
PID 912 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D588.exe
PID 912 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D588.exe
PID 1808 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1808 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1808 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\CE90.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 912 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB84.exe
PID 912 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB84.exe
PID 912 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB84.exe
PID 3596 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3596 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4604 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4604 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4604 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4604 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe

"C:\Users\Admin\AppData\Local\Temp\d04c3a07541d66c83cf673134c31f7294ad6b01bfe776a22c811cd1a69d0bc2d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C9D8.exe

C:\Users\Admin\AppData\Local\Temp\C9D8.exe

C:\Users\Admin\AppData\Local\Temp\CA85.exe

C:\Users\Admin\AppData\Local\Temp\CA85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB80.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe

C:\Users\Admin\AppData\Local\Temp\CC6B.exe

C:\Users\Admin\AppData\Local\Temp\CC6B.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe

C:\Users\Admin\AppData\Local\Temp\CD85.exe

C:\Users\Admin\AppData\Local\Temp\CD85.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe

C:\Users\Admin\AppData\Local\Temp\CE90.exe

C:\Users\Admin\AppData\Local\Temp\CE90.exe

C:\Users\Admin\AppData\Local\Temp\D16F.exe

C:\Users\Admin\AppData\Local\Temp\D16F.exe

C:\Users\Admin\AppData\Local\Temp\D364.exe

C:\Users\Admin\AppData\Local\Temp\D364.exe

C:\Users\Admin\AppData\Local\Temp\D588.exe

C:\Users\Admin\AppData\Local\Temp\D588.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\DB84.exe

C:\Users\Admin\AppData\Local\Temp\DB84.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffdca1f46f8,0x7ffdca1f4708,0x7ffdca1f4718

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdca1f46f8,0x7ffdca1f4708,0x7ffdca1f4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\EA2B.exe

C:\Users\Admin\AppData\Local\Temp\EA2B.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\EBF1.exe

C:\Users\Admin\AppData\Local\Temp\EBF1.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\F181.exe

C:\Users\Admin\AppData\Local\Temp\F181.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\EEE0.exe

C:\Users\Admin\AppData\Local\Temp\EEE0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9981751699782858650,593710436558938184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4596 -ip 4596

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=D16F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdca1f46f8,0x7ffdca1f4708,0x7ffdca1f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,12793940223309676006,7189360354638774919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=D16F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdca1f46f8,0x7ffdca1f4708,0x7ffdca1f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17013155693332064721,6009476204086365373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
NL 85.209.176.128:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
N/A 224.0.0.251:5353 udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 34.255.45.168:443 mscom.demdex.net tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 168.45.255.34.in-addr.arpa udp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 52.168.117.170:443 browser.events.data.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 52.168.117.170:443 browser.events.data.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 666930f2-cc06-4672-9109-dafe37b9134d.uuid.statsexplorer.org udp
US 8.8.8.8:53 server14.statsexplorer.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 8.8.8.8:53 stun4.l.google.com udp
JP 172.217.213.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 127.213.217.172.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp

Files

memory/4764-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4764-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/912-2-0x0000000002E30000-0x0000000002E46000-memory.dmp

memory/4764-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C9D8.exe

MD5 e866d9d2ed122fa7d3cc82a40c904b25
SHA1 46024d0868e99f21096903826de84be99cdb1724
SHA256 bda15679876b482e8a2caefd5d01ba78958bb315046da32cce4e1c7767d5dd5e
SHA512 f1317115386a650512bd41b4c779e745488f352c0c322d274124cfb09f76b41d98f21c69e286b0e102e58ff1512d0adeb11672ae67dfd6ab862f8e28369b5aa9

C:\Users\Admin\AppData\Local\Temp\C9D8.exe

MD5 e866d9d2ed122fa7d3cc82a40c904b25
SHA1 46024d0868e99f21096903826de84be99cdb1724
SHA256 bda15679876b482e8a2caefd5d01ba78958bb315046da32cce4e1c7767d5dd5e
SHA512 f1317115386a650512bd41b4c779e745488f352c0c322d274124cfb09f76b41d98f21c69e286b0e102e58ff1512d0adeb11672ae67dfd6ab862f8e28369b5aa9

C:\Users\Admin\AppData\Local\Temp\CA85.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\CA85.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe

MD5 0f29f734a3ed3e88c35945ebc6e211b1
SHA1 ba65f798e070418cffb1f9670586bc87b7daab14
SHA256 9f37d58e3245ff611d959c735f470caf17367d87748362be59d14b381a8f153a
SHA512 ca88414b8e15ad44fc0b16d168488b6cffc2be662ce4792c62d8d801642e071317109fcb6b90d613707f68c5a77d28fe4a003eae5eeee97d1712da3599fd0ca5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HN9LN0eh.exe

MD5 0f29f734a3ed3e88c35945ebc6e211b1
SHA1 ba65f798e070418cffb1f9670586bc87b7daab14
SHA256 9f37d58e3245ff611d959c735f470caf17367d87748362be59d14b381a8f153a
SHA512 ca88414b8e15ad44fc0b16d168488b6cffc2be662ce4792c62d8d801642e071317109fcb6b90d613707f68c5a77d28fe4a003eae5eeee97d1712da3599fd0ca5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe

MD5 42880bc10a71bf96614ab9694c052441
SHA1 0424fc0fdc59df64e1a6f57c288dcc3f5087f681
SHA256 0ea73269c30db74bd4b1e6f59efc649b188731022737394137bbb2d5ff2ea4d9
SHA512 ae620a903c1edc41ad6a1038bf42abf6af73004eab613e22987a3992e044f434c204518855d2ada56e2f85d647e968f49a5b7d37a6f9dda71c07231a6e87d3cd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fQ4zz1OU.exe

MD5 42880bc10a71bf96614ab9694c052441
SHA1 0424fc0fdc59df64e1a6f57c288dcc3f5087f681
SHA256 0ea73269c30db74bd4b1e6f59efc649b188731022737394137bbb2d5ff2ea4d9
SHA512 ae620a903c1edc41ad6a1038bf42abf6af73004eab613e22987a3992e044f434c204518855d2ada56e2f85d647e968f49a5b7d37a6f9dda71c07231a6e87d3cd

C:\Users\Admin\AppData\Local\Temp\CB80.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe

MD5 04f17a0bf5aaace40dd576a8c392cb98
SHA1 4719ff8abb7bfe4bccb3e569fba6380c71b68f3c
SHA256 2d58ae52ba4362a7da96794fdb99b7c0eee72f4594eda903a5ee361cdbe047ec
SHA512 b9a29a73253573942a27dda88b2ef07aca97a2b662c422813f7edd068e059824af1e73f5c1b81e6aec3b6572b533981b466fe79ddeb567596fdab27375aafa5c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn6Zl7yx.exe

MD5 04f17a0bf5aaace40dd576a8c392cb98
SHA1 4719ff8abb7bfe4bccb3e569fba6380c71b68f3c
SHA256 2d58ae52ba4362a7da96794fdb99b7c0eee72f4594eda903a5ee361cdbe047ec
SHA512 b9a29a73253573942a27dda88b2ef07aca97a2b662c422813f7edd068e059824af1e73f5c1b81e6aec3b6572b533981b466fe79ddeb567596fdab27375aafa5c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe

MD5 55ab38b5dda87231b76fdd87130a1fea
SHA1 5085d89781cada310dcec0437df1031b185b9aa0
SHA256 b6dde7ad7d46ff2df44f32abdc73b447addfef626afd6c4e45cd7b0153995894
SHA512 2429dd4031c8fb7c6fbce23c35896c63985ef6ceeed5c5b1c59782ccd4b41b05caa388862c13d9ad5db90aec007dba865319d369b2046f48dd0f34831c7c8275

C:\Users\Admin\AppData\Local\Temp\CC6B.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\CC6B.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UX3KY4Mg.exe

MD5 55ab38b5dda87231b76fdd87130a1fea
SHA1 5085d89781cada310dcec0437df1031b185b9aa0
SHA256 b6dde7ad7d46ff2df44f32abdc73b447addfef626afd6c4e45cd7b0153995894
SHA512 2429dd4031c8fb7c6fbce23c35896c63985ef6ceeed5c5b1c59782ccd4b41b05caa388862c13d9ad5db90aec007dba865319d369b2046f48dd0f34831c7c8275

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vO67Ui7.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\CD85.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\CD85.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe

MD5 896d84265a97ea364e53f4736ce3106b
SHA1 cf31ed0e6b3c17faf80aa6a360341df579ee77ac
SHA256 7af672dbf8ad28abb942a9396b7888f018dbdaa62595b2d306f3b4eb4b7ef1c4
SHA512 493e5d2cabb04e5e2c4c406156c5e0647fe71a840de2c6e17e0e083f6c0611b85d13e6ac495e29b903000cb0838786763dd9a0822c22bbbaaeca54cc9d2d97ad

memory/2144-66-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Uz913gW.exe

MD5 896d84265a97ea364e53f4736ce3106b
SHA1 cf31ed0e6b3c17faf80aa6a360341df579ee77ac
SHA256 7af672dbf8ad28abb942a9396b7888f018dbdaa62595b2d306f3b4eb4b7ef1c4
SHA512 493e5d2cabb04e5e2c4c406156c5e0647fe71a840de2c6e17e0e083f6c0611b85d13e6ac495e29b903000cb0838786763dd9a0822c22bbbaaeca54cc9d2d97ad

memory/2144-70-0x00000000008D0000-0x000000000090E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE90.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4136-74-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/4136-73-0x0000000000450000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE90.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4796-75-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/4796-82-0x0000000004B60000-0x0000000004B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D16F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/4136-87-0x0000000007750000-0x0000000007CF4000-memory.dmp

memory/4136-89-0x0000000007240000-0x00000000072D2000-memory.dmp

memory/4796-88-0x0000000002510000-0x000000000252E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D364.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\D588.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\D16F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/4136-95-0x0000000007200000-0x0000000007210000-memory.dmp

memory/2144-103-0x00000000078E0000-0x00000000078F0000-memory.dmp

memory/4136-102-0x00000000073D0000-0x00000000073DA000-memory.dmp

memory/4796-94-0x0000000002510000-0x0000000002528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D364.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4796-112-0x0000000002510000-0x0000000002528000-memory.dmp

memory/2144-116-0x0000000008240000-0x000000000834A000-memory.dmp

memory/452-114-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

memory/2144-113-0x0000000008860000-0x0000000008E78000-memory.dmp

memory/1632-109-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/4796-107-0x0000000002510000-0x0000000002528000-memory.dmp

memory/1632-105-0x00000000002E0000-0x000000000033A000-memory.dmp

memory/4796-98-0x0000000002510000-0x0000000002528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D588.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4796-83-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/4796-80-0x0000000002060000-0x0000000002080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4796-121-0x0000000002510000-0x0000000002528000-memory.dmp

memory/2144-122-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/1632-126-0x0000000007040000-0x0000000007050000-memory.dmp

memory/4796-128-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-133-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-140-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4136-138-0x0000000007520000-0x000000000755C000-memory.dmp

memory/4796-143-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4136-144-0x0000000007560000-0x00000000075AC000-memory.dmp

memory/4796-146-0x0000000002510000-0x0000000002528000-memory.dmp

memory/452-147-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/4796-149-0x0000000002510000-0x0000000002528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB84.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/4796-151-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-154-0x0000000002510000-0x0000000002528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB84.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/2144-139-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

memory/4136-135-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/1632-134-0x0000000007340000-0x0000000007352000-memory.dmp

memory/2008-129-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2008-123-0x00000000005D0000-0x000000000062A000-memory.dmp

memory/452-118-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/4796-117-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-157-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-158-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/4796-160-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-162-0x0000000002510000-0x0000000002528000-memory.dmp

memory/4796-163-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/1552-164-0x0000000000990000-0x0000000000AAB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/3504-173-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1956-178-0x00000000002E0000-0x0000000000738000-memory.dmp

memory/4796-179-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/4796-182-0x0000000004B60000-0x0000000004B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA2B.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/1956-186-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA2B.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/1632-170-0x0000000007C70000-0x0000000007CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\EBF1.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/1552-195-0x0000000000990000-0x0000000000AAB000-memory.dmp

memory/3504-197-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/4136-194-0x0000000007200000-0x0000000007210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEE0.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\EEE0.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\EBF1.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\F181.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\F181.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/3504-217-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

\??\pipe\LOCAL\crashpad_3596_YIJGHXLVRKPAKGAU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2144-215-0x00000000078E0000-0x00000000078F0000-memory.dmp

memory/4596-223-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/1632-229-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/4596-236-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b53ec8603277ce52d470202d66b44ed6
SHA1 a9b39f14ab40f4dc11d1768c5f5232cadab1ebe5
SHA256 73c992d2ff394c27c519744640def30f2487bfc85a3281a9737bea522ec24506
SHA512 5a1e3d75fb043d09753824f80853bd5abdf9c7dbf76a6491dfda32aad382a6c82b117db6a0984e365c9495611356eb1273ae0abfa066d1d8c1f6faa3383a756f

memory/452-235-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBF1.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\EBF1.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 18c5b0b56023a5fe67b96dfda2b7c2a6
SHA1 1627eed32bdbe6e4b73d13c8174f1788efb57844
SHA256 039c6e685a6d7579f27ce764098c1099bd3ea44ee3ecd996f8569b7dd2e2f0e9
SHA512 cf40087190ec762d4b964316dc335a1b41c1e681df236da151b6082f130dd64180035e8f2bad9a51a80fd5b0e7498ad405cfd9a2a17f2ff25633e5e21e6dee6d

memory/4596-258-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1632-281-0x0000000007040000-0x0000000007050000-memory.dmp

memory/1956-282-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_4832_ZPVOSHGIOAIZCKFN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/452-298-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/5368-299-0x0000000004CC0000-0x00000000050C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/5368-325-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b92a4befdd4dadc4b3de63b9421c3b41
SHA1 385c1ddf0d5cba20fa663a45332924fce47a6e97
SHA256 05543e5a88a9bc759b16ef10fb7fdc798b71f2cdf77219906d202d277ef14fdb
SHA512 2f7aef7ecccfbc85c9d177d37f7d5b1f27980e589412946389a7757eb2b37117c7c3add3039feba31a6835b1a7f25c083e4e15b1fefcd88fe13a9733667a785a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 18c5b0b56023a5fe67b96dfda2b7c2a6
SHA1 1627eed32bdbe6e4b73d13c8174f1788efb57844
SHA256 039c6e685a6d7579f27ce764098c1099bd3ea44ee3ecd996f8569b7dd2e2f0e9
SHA512 cf40087190ec762d4b964316dc335a1b41c1e681df236da151b6082f130dd64180035e8f2bad9a51a80fd5b0e7498ad405cfd9a2a17f2ff25633e5e21e6dee6d

memory/4596-338-0x00000000024E0000-0x0000000002510000-memory.dmp

memory/1632-339-0x0000000009210000-0x0000000009286000-memory.dmp

memory/4596-340-0x0000000002510000-0x0000000002540000-memory.dmp

memory/5368-337-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/1632-341-0x0000000009460000-0x0000000009622000-memory.dmp

memory/1632-343-0x0000000009B60000-0x000000000A08C000-memory.dmp

memory/1632-346-0x00000000093A0000-0x00000000093BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4ff20c809f3decf55aef7673814ba773
SHA1 26716bb8fcb7f671fb7df4a9444b02627c3a70f8
SHA256 f51b93de237a5a6e199ee1d3f533cb05700d44ad83b5605905bfb5b63f5a23a1
SHA512 5293f95f261164421f3af61cdacb18454b715eaba0f95d9f4e87dcc749783ac9e00e49b7a615968d019693ac6098433d4338bfd9058de2abea65d93936190e0c

memory/4796-359-0x0000000073D30000-0x00000000744E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b92a4befdd4dadc4b3de63b9421c3b41
SHA1 385c1ddf0d5cba20fa663a45332924fce47a6e97
SHA256 05543e5a88a9bc759b16ef10fb7fdc798b71f2cdf77219906d202d277ef14fdb
SHA512 2f7aef7ecccfbc85c9d177d37f7d5b1f27980e589412946389a7757eb2b37117c7c3add3039feba31a6835b1a7f25c083e4e15b1fefcd88fe13a9733667a785a

memory/3504-365-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/5368-368-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1632-371-0x0000000009B10000-0x0000000009B60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1fd9309e-1b33-4d2a-95d1-0457d32143a3.tmp

MD5 664ec6dde0f4b1f8272fb76edb2dba85
SHA1 19b24467b944b0c395e81535f886f7dfa218ebef
SHA256 790ca4fe2fc12a5594b3024a45e6e5e2ac2747603fdbaa7d26b008dd99c66215
SHA512 080372f8fcbe40810fc67d26b6b3e56ede66d02f7bccee730a6fbb90826f51962e4cd53a579953a63cbee28519f33d638b745303cee2b9eda7a75a4874545eaa

memory/1632-403-0x0000000073D30000-0x00000000744E0000-memory.dmp

memory/5084-404-0x00000000032A0000-0x00000000032D6000-memory.dmp

memory/5368-405-0x0000000004CC0000-0x00000000050C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_op4o10qh.11y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5368-430-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5368-487-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4852-495-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4852-562-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4896-620-0x0000000000400000-0x0000000002FB8000-memory.dmp