Analysis Overview
SHA256
362d8f8fcc698554a750a5dfb1e261eb3b5442fb4bfe4746c8ba9431ec944305
Threat Level: Known bad
The file 0e4cce351d50179ad135e2f12a52e9fb.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
Modifies Windows Defender Real-time Protection settings
DcRat
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine
Glupteba
SmokeLoader
Amadey
SectopRAT payload
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Windows security modification
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
.NET Reactor proctector
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Suspicious use of SetThreadContext
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Enumerates physical storage devices
Program crash
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-19 12:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-19 12:16
Reported
2023-10-19 12:18
Platform
win7-20230831-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2512 set thread context of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe
"C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 268
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
| MD5 | 6e3cd9806b164c57886af6ff6ccc026e |
| SHA1 | e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a |
| SHA256 | 721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4 |
| SHA512 | 083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
| MD5 | 6e3cd9806b164c57886af6ff6ccc026e |
| SHA1 | e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a |
| SHA256 | 721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4 |
| SHA512 | 083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
| MD5 | 6e3cd9806b164c57886af6ff6ccc026e |
| SHA1 | e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a |
| SHA256 | 721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4 |
| SHA512 | 083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
| MD5 | 6e3cd9806b164c57886af6ff6ccc026e |
| SHA1 | e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a |
| SHA256 | 721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4 |
| SHA512 | 083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/3000-20-0x0000000000500000-0x0000000000520000-memory.dmp
memory/3000-21-0x0000000000980000-0x000000000099E000-memory.dmp
memory/3000-23-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-22-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-25-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-27-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-29-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-31-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-33-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-35-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-37-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-39-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-41-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-43-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-45-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-47-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-49-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-51-0x0000000000980000-0x0000000000998000-memory.dmp
memory/3000-53-0x0000000000980000-0x0000000000998000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
memory/2416-63-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-65-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-67-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-68-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-69-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-70-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-72-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-74-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2416-76-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2416-77-0x0000000000400000-0x0000000000432000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
memory/2416-82-0x0000000000400000-0x0000000000432000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-19 12:16
Reported
2023-10-19 12:18
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Glupteba
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1DF8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5A6A.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8Xi8Nb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\19EC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR8Ud2Yk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB5lE0UC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EN8KG5CH.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\670E.exe'\"" | C:\Users\Admin\AppData\Local\Temp\670E.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2792 set thread context of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1800 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Qx23oC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2700 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\2975.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3632 set thread context of 4840 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 5768 set thread context of 4172 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 5768 set thread context of 3560 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1CED.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2194.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2379.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe
"C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3004 -ip 3004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2792 -ip 2792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Qx23oC.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Qx23oC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 156
C:\Users\Admin\AppData\Local\Temp\19EC.exe
C:\Users\Admin\AppData\Local\Temp\19EC.exe
C:\Users\Admin\AppData\Local\Temp\1A89.exe
C:\Users\Admin\AppData\Local\Temp\1A89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR8Ud2Yk.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR8Ud2Yk.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB5lE0UC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB5lE0UC.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B94.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EN8KG5CH.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EN8KG5CH.exe
C:\Users\Admin\AppData\Local\Temp\1C31.exe
C:\Users\Admin\AppData\Local\Temp\1C31.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8Xi8Nb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8Xi8Nb.exe
C:\Users\Admin\AppData\Local\Temp\1CED.exe
C:\Users\Admin\AppData\Local\Temp\1CED.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs75AI3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs75AI3.exe
C:\Users\Admin\AppData\Local\Temp\1DF8.exe
C:\Users\Admin\AppData\Local\Temp\1DF8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zy811kP.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zy811kP.exe
C:\Users\Admin\AppData\Local\Temp\206A.exe
C:\Users\Admin\AppData\Local\Temp\206A.exe
C:\Users\Admin\AppData\Local\Temp\2194.exe
C:\Users\Admin\AppData\Local\Temp\2194.exe
C:\Users\Admin\AppData\Local\Temp\2379.exe
C:\Users\Admin\AppData\Local\Temp\2379.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\2975.exe
C:\Users\Admin\AppData\Local\Temp\2975.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94f1346f8,0x7ff94f134708,0x7ff94f134718
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff94f1346f8,0x7ff94f134708,0x7ff94f134718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\5A6A.exe
C:\Users\Admin\AppData\Local\Temp\5A6A.exe
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\6603.exe
C:\Users\Admin\AppData\Local\Temp\6603.exe
C:\Users\Admin\AppData\Local\Temp\670E.exe
C:\Users\Admin\AppData\Local\Temp\670E.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\6A5B.exe
C:\Users\Admin\AppData\Local\Temp\6A5B.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=206A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94f1346f8,0x7ff94f134708,0x7ff94f134718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\748D.exe
C:\Users\Admin\AppData\Local\Temp\748D.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6268506836562182027,13798185938830525774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=206A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94f1346f8,0x7ff94f134708,0x7ff94f134718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,12983642731431345347,798267170409584099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,12983642731431345347,798267170409584099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,12983642731431345347,798267170409584099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12983642731431345347,798267170409584099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12983642731431345347,798267170409584099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12983642731431345347,798267170409584099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.92.42.5.in-addr.arpa | udp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| IT | 185.196.9.65:80 | tcp | |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| NL | 85.209.176.128:80 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| TR | 185.216.70.238:37515 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.36.251.142.in-addr.arpa | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 157.240.5.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 10.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| US | 157.240.5.35:443 | fbcdn.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | hellouts.fun | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| CZ | 89.187.189.193:80 | 89.187.189.193 | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.189.187.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.82.57.23.in-addr.arpa | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.253.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | h2o.activebuy.top | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| MD | 37.221.65.143:8443 | h2o.activebuy.top | tcp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| IE | 52.17.210.114:443 | mscom.demdex.net | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.253.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.65.221.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.210.17.52.in-addr.arpa | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.9:443 | browser.events.data.microsoft.com | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 20.189.173.9:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| IE | 52.17.210.114:443 | mscom.demdex.net | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| NL | 85.209.176.128:80 | tcp | |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8f12134b-a490-4972-b960-b49ca18753aa.uuid.realupdate.ru | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| US | 8.8.8.8:53 | server9.realupdate.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server9.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server9.realupdate.ru | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 74.125.204.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | 127.204.125.74.in-addr.arpa | udp |
| NL | 85.209.176.128:80 | tcp | |
| N/A | 127.0.0.1:3478 | udp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.68.190.80:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| FR | 163.172.154.142:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 80.190.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server9.realupdate.ru | udp |
| BG | 185.82.216.96:443 | server9.realupdate.ru | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 142.251.125.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | 127.125.251.142.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
| MD5 | 6e3cd9806b164c57886af6ff6ccc026e |
| SHA1 | e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a |
| SHA256 | 721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4 |
| SHA512 | 083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
| MD5 | 6e3cd9806b164c57886af6ff6ccc026e |
| SHA1 | e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a |
| SHA256 | 721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4 |
| SHA512 | 083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/4492-14-0x0000000073FA0000-0x0000000074750000-memory.dmp
memory/4492-15-0x00000000021B0000-0x00000000021D0000-memory.dmp
memory/4492-16-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4492-17-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4492-18-0x0000000004C10000-0x00000000051B4000-memory.dmp
memory/4492-19-0x0000000004AD0000-0x0000000004AEE000-memory.dmp
memory/4492-20-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-21-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-23-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-25-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-27-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-29-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-31-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-33-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-35-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-37-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-39-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-41-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-43-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-45-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-47-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-49-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-51-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/4492-52-0x0000000073FA0000-0x0000000074750000-memory.dmp
memory/4492-53-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4492-55-0x0000000073FA0000-0x0000000074750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
| MD5 | c79db86d20bdc4c83a174ce0f3d620c3 |
| SHA1 | aff038016a6f4267990069b210bcf29316187457 |
| SHA256 | 32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533 |
| SHA512 | 38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623 |
memory/3004-59-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3004-60-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3004-61-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3004-63-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Qx23oC.exe
| MD5 | 70a737d76cf8364ebb0ebcb826d3b218 |
| SHA1 | cdf65d10744c9d346800b04626aadfe5e33cfe15 |
| SHA256 | 6fde6fbdd64a7251f4019f9ce61e05b64e9c8f48d2d33632e1823ec0cfab330f |
| SHA512 | 9ab8242be801fdeb4e781505a15e660721a6b978726e4223b4bbdf2aa927641cf842fc10bf5ee3f39aef15cf4cbf80e6a3b47afc70b1091e9427179266eb4342 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Qx23oC.exe
| MD5 | 70a737d76cf8364ebb0ebcb826d3b218 |
| SHA1 | cdf65d10744c9d346800b04626aadfe5e33cfe15 |
| SHA256 | 6fde6fbdd64a7251f4019f9ce61e05b64e9c8f48d2d33632e1823ec0cfab330f |
| SHA512 | 9ab8242be801fdeb4e781505a15e660721a6b978726e4223b4bbdf2aa927641cf842fc10bf5ee3f39aef15cf4cbf80e6a3b47afc70b1091e9427179266eb4342 |
memory/1784-67-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1784-68-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3180-69-0x0000000002FD0000-0x0000000002FE6000-memory.dmp
memory/1784-71-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\19EC.exe
| MD5 | 2a329e9b38ae38c87f9135e998077387 |
| SHA1 | 9635a4e28a5dee0fbc8d303b51a037b10142c97a |
| SHA256 | 4ca02a14bf966ac666a649db80163f8d997e88b3ec64de5b169c4cf527dc6d57 |
| SHA512 | 155dc0bcd484bb02fd0eaa024a12486df970d23c080e87bf074e60917d10641fb4c5ceb2bff12dfdcd5783d7b15adc47f1c96b835df920dbb2df807f40a6d715 |
C:\Users\Admin\AppData\Local\Temp\19EC.exe
| MD5 | 2a329e9b38ae38c87f9135e998077387 |
| SHA1 | 9635a4e28a5dee0fbc8d303b51a037b10142c97a |
| SHA256 | 4ca02a14bf966ac666a649db80163f8d997e88b3ec64de5b169c4cf527dc6d57 |
| SHA512 | 155dc0bcd484bb02fd0eaa024a12486df970d23c080e87bf074e60917d10641fb4c5ceb2bff12dfdcd5783d7b15adc47f1c96b835df920dbb2df807f40a6d715 |
C:\Users\Admin\AppData\Local\Temp\1A89.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\1A89.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR8Ud2Yk.exe
| MD5 | 765aab30236087915cc222cbcb1c83b1 |
| SHA1 | a0ff6a57ff4da91e56e9c5af6bdcd76449cd9135 |
| SHA256 | 63c9e77464db39e48119e46c037f3af02bc4dfcd1bd9dfb4e18496094e9a5cd1 |
| SHA512 | 40291bc49707cde9ec2d8771039209ce1f621c6dc9e944b73d5d30ea2f439f61f54547bcd2d968df56d53e715a19caeacb09c562853c65e82ea4373d28a9dcf4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR8Ud2Yk.exe
| MD5 | 765aab30236087915cc222cbcb1c83b1 |
| SHA1 | a0ff6a57ff4da91e56e9c5af6bdcd76449cd9135 |
| SHA256 | 63c9e77464db39e48119e46c037f3af02bc4dfcd1bd9dfb4e18496094e9a5cd1 |
| SHA512 | 40291bc49707cde9ec2d8771039209ce1f621c6dc9e944b73d5d30ea2f439f61f54547bcd2d968df56d53e715a19caeacb09c562853c65e82ea4373d28a9dcf4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB5lE0UC.exe
| MD5 | 93f81ff827d1c2e932ba3061f4f91768 |
| SHA1 | 281f79bd62d7d96a4c9580a663a0d640e725652c |
| SHA256 | 2a481416642a7963e391024bda116f44412c8b26870975522482d28d24c5163c |
| SHA512 | 7638537bd092c730d7c5fbc35f2621d610d336bd1bd6cbb61e19620a65d09c1b92c0dbd1c01f9e0338e99ef447d555f33bb1064ea8efbd5dc439f95e3a19fccd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB5lE0UC.exe
| MD5 | 93f81ff827d1c2e932ba3061f4f91768 |
| SHA1 | 281f79bd62d7d96a4c9580a663a0d640e725652c |
| SHA256 | 2a481416642a7963e391024bda116f44412c8b26870975522482d28d24c5163c |
| SHA512 | 7638537bd092c730d7c5fbc35f2621d610d336bd1bd6cbb61e19620a65d09c1b92c0dbd1c01f9e0338e99ef447d555f33bb1064ea8efbd5dc439f95e3a19fccd |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EN8KG5CH.exe
| MD5 | 35f38c454d8ab70335c7f951e49cb715 |
| SHA1 | be59b2f4ba8adda5b38a7c844168ac65b3e764d0 |
| SHA256 | f8ab591b2516ebf54b2e5bcac434138c720400130bbb2b035d11d658e27eeff8 |
| SHA512 | d4a2fcc329ac83c4e7947be4beacd18932f63289054a46fdbe9e562b296c1055e29b57a6d0699c0018a8f86aef3f111ab0831b869b9b75c1e023710b0ed0a37e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EN8KG5CH.exe
| MD5 | 35f38c454d8ab70335c7f951e49cb715 |
| SHA1 | be59b2f4ba8adda5b38a7c844168ac65b3e764d0 |
| SHA256 | f8ab591b2516ebf54b2e5bcac434138c720400130bbb2b035d11d658e27eeff8 |
| SHA512 | d4a2fcc329ac83c4e7947be4beacd18932f63289054a46fdbe9e562b296c1055e29b57a6d0699c0018a8f86aef3f111ab0831b869b9b75c1e023710b0ed0a37e |
C:\Users\Admin\AppData\Local\Temp\1B94.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\1C31.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\1C31.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8Xi8Nb.exe
| MD5 | 296174aaf48f58cbdbc641ebdb5a531e |
| SHA1 | 616c56c35c88e570f0a8a94284fcee622dc2105f |
| SHA256 | c0033b8f06696307d1d7686539b08b3f875d2cf1bfd78e0575238b5b88de72dd |
| SHA512 | f3deaadf48ae846996b14c677704cd21c821a71fbaf313143cfaa9ff660178efba73554ac3e1c9858b5d9d17591eca41ad171a17a96817902337966f9c8e1e4b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8Xi8Nb.exe
| MD5 | 296174aaf48f58cbdbc641ebdb5a531e |
| SHA1 | 616c56c35c88e570f0a8a94284fcee622dc2105f |
| SHA256 | c0033b8f06696307d1d7686539b08b3f875d2cf1bfd78e0575238b5b88de72dd |
| SHA512 | f3deaadf48ae846996b14c677704cd21c821a71fbaf313143cfaa9ff660178efba73554ac3e1c9858b5d9d17591eca41ad171a17a96817902337966f9c8e1e4b |
memory/3788-125-0x00000000733A0000-0x0000000073B50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs75AI3.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs75AI3.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\1CED.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\1CED.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/3788-133-0x00000000074B0000-0x0000000007542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1CED.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/3788-124-0x00000000006C0000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs75AI3.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\1DF8.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\1DF8.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zy811kP.exe
| MD5 | a1a5019d202717b4f29f96a314a8679c |
| SHA1 | 490aa2f8ef70815d65b08601f06219b3cbf5b3df |
| SHA256 | e28000ae6a1a44647ae18085a7ca9e38e14af91d5720864f9cc32e6655682ddb |
| SHA512 | f77a9f043aadc27a9c1c1a01254230ed9498bc2f28131c6798643177486ab4787fb1b620c36318234fa5a247532c6399df42d32d99d80597e0286fcff18f8dc9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zy811kP.exe
| MD5 | a1a5019d202717b4f29f96a314a8679c |
| SHA1 | 490aa2f8ef70815d65b08601f06219b3cbf5b3df |
| SHA256 | e28000ae6a1a44647ae18085a7ca9e38e14af91d5720864f9cc32e6655682ddb |
| SHA512 | f77a9f043aadc27a9c1c1a01254230ed9498bc2f28131c6798643177486ab4787fb1b620c36318234fa5a247532c6399df42d32d99d80597e0286fcff18f8dc9 |
memory/4680-145-0x0000000000410000-0x000000000044E000-memory.dmp
memory/2512-143-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/2512-150-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/2512-152-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\206A.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/4680-158-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/3788-149-0x0000000007640000-0x000000000764A000-memory.dmp
memory/2512-146-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/4680-164-0x0000000007340000-0x0000000007350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3788-171-0x00000000077E0000-0x00000000078EA000-memory.dmp
memory/3788-176-0x0000000007710000-0x0000000007722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2379.exe
| MD5 | 20e21e63bb7a95492aec18de6aa85ab9 |
| SHA1 | 6cbf2079a42d86bf155c06c7ad5360c539c02b15 |
| SHA256 | 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17 |
| SHA512 | 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33 |
C:\Users\Admin\AppData\Local\Temp\2194.exe
| MD5 | 7f28547a6060699461824f75c96feaeb |
| SHA1 | 744195a7d3ef1aa32dcb99d15f73e26a20813259 |
| SHA256 | ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff |
| SHA512 | eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/556-196-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/556-195-0x00000000008F0000-0x000000000094A000-memory.dmp
memory/3788-194-0x00000000078F0000-0x000000000793C000-memory.dmp
memory/4108-193-0x0000000000DA0000-0x0000000000DBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2379.exe
| MD5 | 20e21e63bb7a95492aec18de6aa85ab9 |
| SHA1 | 6cbf2079a42d86bf155c06c7ad5360c539c02b15 |
| SHA256 | 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17 |
| SHA512 | 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3788-183-0x0000000007770000-0x00000000077AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\206A.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/3788-166-0x0000000008590000-0x0000000008BA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2194.exe
| MD5 | 7f28547a6060699461824f75c96feaeb |
| SHA1 | 744195a7d3ef1aa32dcb99d15f73e26a20813259 |
| SHA256 | ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff |
| SHA512 | eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239 |
memory/3788-160-0x0000000007490000-0x00000000074A0000-memory.dmp
memory/4108-200-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/556-205-0x0000000007810000-0x0000000007820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2975.exe
| MD5 | a8eb605b301ac27461ce89d51a4d73ce |
| SHA1 | f3e2120787f20577963189b711567cc5d7b19d4e |
| SHA256 | 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61 |
| SHA512 | 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a |
memory/4904-210-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4904-204-0x0000000002120000-0x000000000217A000-memory.dmp
memory/4108-203-0x00000000016E0000-0x00000000016F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2975.exe
| MD5 | a8eb605b301ac27461ce89d51a4d73ce |
| SHA1 | f3e2120787f20577963189b711567cc5d7b19d4e |
| SHA256 | 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61 |
| SHA512 | 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a |
memory/556-225-0x00000000082D0000-0x0000000008336000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f95638730ec51abd55794c140ca826c9 |
| SHA1 | 77c415e2599fbdfe16530c2ab533fd6b193e82ef |
| SHA256 | 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3 |
| SHA512 | 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a |
memory/2700-231-0x0000000000B40000-0x0000000000C5B000-memory.dmp
memory/1976-237-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2700-238-0x0000000000B40000-0x0000000000C5B000-memory.dmp
memory/1976-239-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/3788-245-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/2512-246-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/1976-250-0x0000000005450000-0x0000000005460000-memory.dmp
\??\pipe\LOCAL\crashpad_2068_FQGRHSUPVUMEVXCH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1a631fa0fad5fb44f6b533dddd955bb8 |
| SHA1 | 3670b7c28f7a86256210e2a2721827d29b945601 |
| SHA256 | 8bf93874e9f9c1e72d7e3bf3fcaf320f65e9e46cb02c26ff2a7106897e42f5f9 |
| SHA512 | 4469cf29b9ff0a0e36714209a1e3c022321605a60b04f16caa7675787d00db37ecc7d00202fd1756e900b06d277c565890e682a5d74a1dc6a62731fb673eb6e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f95638730ec51abd55794c140ca826c9 |
| SHA1 | 77c415e2599fbdfe16530c2ab533fd6b193e82ef |
| SHA256 | 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3 |
| SHA512 | 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a |
memory/2512-270-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/2512-273-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/4680-274-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/556-275-0x0000000009850000-0x00000000098C6000-memory.dmp
memory/556-288-0x0000000009820000-0x000000000983E000-memory.dmp
memory/4680-297-0x0000000007340000-0x0000000007350000-memory.dmp
memory/556-299-0x00000000733A0000-0x0000000073B50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4108-301-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/4108-302-0x00000000016E0000-0x00000000016F0000-memory.dmp
memory/556-319-0x0000000009BF0000-0x0000000009C40000-memory.dmp
memory/556-320-0x0000000009E10000-0x0000000009FD2000-memory.dmp
memory/2512-323-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/556-322-0x000000000ABD0000-0x000000000B0FC000-memory.dmp
memory/556-324-0x0000000007810000-0x0000000007820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5A6A.exe
| MD5 | 85fb3b5dffede43c9eb9510b19e440b4 |
| SHA1 | 6623493bbc3dd0fb63b8b8740b22d682e91204b1 |
| SHA256 | 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a |
| SHA512 | af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40 |
C:\Users\Admin\AppData\Local\Temp\5A6A.exe
| MD5 | 85fb3b5dffede43c9eb9510b19e440b4 |
| SHA1 | 6623493bbc3dd0fb63b8b8740b22d682e91204b1 |
| SHA256 | 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a |
| SHA512 | af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40 |
memory/2908-331-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/2908-332-0x0000000000960000-0x0000000001362000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 928b00f01c7433d3a7762dd3d3a3b759 |
| SHA1 | a1dfb22c08c7b2ca5e37abcb82cded63049c2646 |
| SHA256 | 3324dc14ec8ef8df3467bac3c21d55ccefb117907ca3ac73a65d1a41ec948808 |
| SHA512 | 836b32ca5313a123de08c52573bbb66a42909899b17cd5e7b0a7765592c3ab94054c2baccb187948fc2ccf49b6ed053d20a087b6e76709fadcc405e9ed47803b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5b550b4598bf562b7eccd618780dc03c |
| SHA1 | 62ac4709871dea0062528ce7569426d0836106e0 |
| SHA256 | 5db9f2f181fd50d5b550aaf3463ea608e5215c870a935a37418791db83e633f1 |
| SHA512 | 31eed2c7950c04780ebe4dbab6013e8e7572bdef00368a8a66e101bfb9aa7c78ab608b065807f1fb24c729e50cc2d630083956cc686632b01dce531bd0363e38 |
C:\Users\Admin\AppData\Local\Temp\6603.exe
| MD5 | 42d97769a8cfdfedac8e03f6903e076b |
| SHA1 | 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe |
| SHA256 | f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b |
| SHA512 | 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77 |
C:\Users\Admin\AppData\Local\Temp\670E.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/556-356-0x00000000733A0000-0x0000000073B50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 4a078fb8a7c67594a6c2aa724e2ac684 |
| SHA1 | 92bc5b49985c8588c60f6f85c50a516fae0332f4 |
| SHA256 | c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee |
| SHA512 | 188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6 |
C:\Users\Admin\AppData\Local\Temp\6603.exe
| MD5 | 42d97769a8cfdfedac8e03f6903e076b |
| SHA1 | 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe |
| SHA256 | f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b |
| SHA512 | 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77 |
C:\Users\Admin\AppData\Local\Temp\670E.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0bce2fed456a72a2486b1d17621c88d6 |
| SHA1 | 4cbff382f76920526ec0bc81a05bfd372dd88229 |
| SHA256 | 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b |
| SHA512 | 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0bce2fed456a72a2486b1d17621c88d6 |
| SHA1 | 4cbff382f76920526ec0bc81a05bfd372dd88229 |
| SHA256 | 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b |
| SHA512 | 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4 |
memory/4476-386-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6A5B.exe
| MD5 | d5752c23e575b5a1a1cc20892462634a |
| SHA1 | 132e347a010ea0c809844a4d90bcc0414a11da3f |
| SHA256 | c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb |
| SHA512 | ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0bce2fed456a72a2486b1d17621c88d6 |
| SHA1 | 4cbff382f76920526ec0bc81a05bfd372dd88229 |
| SHA256 | 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b |
| SHA512 | 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1976-397-0x0000000005450000-0x0000000005460000-memory.dmp
memory/1976-394-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/3632-403-0x00000000007E0000-0x00000000008E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gru0u4m3.2pm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a9399b4e9d0277fe3d25cc749c24f3a6 |
| SHA1 | c430929bde4c1ded8e8fc284fd5927a52b1c5f2b |
| SHA256 | 8af9f711e403e94a742e9f7b1982cb39de8ec16b0ac83b0a790190ebdff2c635 |
| SHA512 | 3133d21aa003dfade152b105c9bd2a4c007f06fb432ef39c882d257968256cd98b7849cd67ef98b4d015ee6a9e3c46f34575f4f9f5e112021e27e0cbf9ec964e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b15bc5ec9a02c7ab27847d125ad89e34 |
| SHA1 | 24602568977b2e2891734bf6849f45c8fd0b2327 |
| SHA256 | a0289133ca38ff4ae6e19253cb9417ab523beaf90a745a753358280769599b05 |
| SHA512 | f0d7fb5a75327f962f4cf65724d09836c0ac2f2e59839dffa6a9a1bb6d18bfd952ed46b9cfcfb14c880147ee235f14873cd11d9a3754c07a077853d9c20ef0fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 512c6424251a2d029a5b6fd58d28052d |
| SHA1 | d6aa2cb1363404aee355fd5b94f50d3e70a38cd1 |
| SHA256 | b035bda8560679a608efc6ff5444fb8407cb3296ae29a8ade1c8c0779262dd94 |
| SHA512 | 8fc61a71230d9d3f4e825f806fb29e672ed9aeba0df9623986793fc428acfea5141ec85f5eaac92bdb38f2a29a1e0db69395a9823d952f678e8ba621de203344 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |