Analysis Overview
SHA256
f7b1d14018860b1352161d763bb44d62ae2bf66c2f63987bdf208a117508bf3b
Threat Level: Known bad
The file 07d9513c0d5a6193a06e26992041e1f9.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
RedLine payload
SmokeLoader
DcRat
Modifies Windows Defender Real-time Protection settings
Glupteba
RedLine
Stops running service(s)
Modifies Windows Firewall
Drops file in Drivers directory
Downloads MZ/PE file
Reads user/profile data of local email clients
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
.NET Reactor proctector
Checks installed software on the system
Manipulates WinMonFS driver.
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-19 14:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-19 14:02
Reported
2023-10-19 14:05
Platform
win7-20230831-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3000 set thread context of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe
"C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 280
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
| MD5 | 1227fce841a7bc05446eceec68e0ecb5 |
| SHA1 | 154acebc61b109c5c2af28852793de615967ae67 |
| SHA256 | 6e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2 |
| SHA512 | e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
| MD5 | 1227fce841a7bc05446eceec68e0ecb5 |
| SHA1 | 154acebc61b109c5c2af28852793de615967ae67 |
| SHA256 | 6e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2 |
| SHA512 | e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
| MD5 | 1227fce841a7bc05446eceec68e0ecb5 |
| SHA1 | 154acebc61b109c5c2af28852793de615967ae67 |
| SHA256 | 6e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2 |
| SHA512 | e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
| MD5 | 1227fce841a7bc05446eceec68e0ecb5 |
| SHA1 | 154acebc61b109c5c2af28852793de615967ae67 |
| SHA256 | 6e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2 |
| SHA512 | e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
memory/2736-23-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2736-24-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2736-25-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2736-26-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2736-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2736-28-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2736-30-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2736-32-0x0000000000400000-0x000000000040A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-19 14:02
Reported
2023-10-19 14:05
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Glupteba
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\131B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44DE.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\4964.exe'\"" | C:\Users\Admin\AppData\Local\Temp\4964.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\EA1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4536 set thread context of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5092 set thread context of 4588 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SJ2322.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2976 set thread context of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Yl18HD.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5456 set thread context of 5720 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 2848 set thread context of 1324 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 2848 set thread context of 1604 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Windows\windefender.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11D2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\16C6.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1948.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe
"C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 552
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SJ2322.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SJ2322.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4588 -ip 4588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 184
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Yl18HD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Yl18HD.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2976 -ip 2976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 136
C:\Users\Admin\AppData\Local\Temp\EA1.exe
C:\Users\Admin\AppData\Local\Temp\EA1.exe
C:\Users\Admin\AppData\Local\Temp\F3E.exe
C:\Users\Admin\AppData\Local\Temp\F3E.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1039.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exe
C:\Users\Admin\AppData\Local\Temp\1105.exe
C:\Users\Admin\AppData\Local\Temp\1105.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exe
C:\Users\Admin\AppData\Local\Temp\11D2.exe
C:\Users\Admin\AppData\Local\Temp\11D2.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exe
C:\Users\Admin\AppData\Local\Temp\131B.exe
C:\Users\Admin\AppData\Local\Temp\131B.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mi256Fu.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mi256Fu.exe
C:\Users\Admin\AppData\Local\Temp\158D.exe
C:\Users\Admin\AppData\Local\Temp\158D.exe
C:\Users\Admin\AppData\Local\Temp\16C6.exe
C:\Users\Admin\AppData\Local\Temp\16C6.exe
C:\Users\Admin\AppData\Local\Temp\1948.exe
C:\Users\Admin\AppData\Local\Temp\1948.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fffd91d46f8,0x7fffd91d4708,0x7fffd91d4718
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\21B5.exe
C:\Users\Admin\AppData\Local\Temp\21B5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd91d46f8,0x7fffd91d4708,0x7fffd91d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,3086283862446326530,15911878661353260649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=158D.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd91d46f8,0x7fffd91d4708,0x7fffd91d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\44DE.exe
C:\Users\Admin\AppData\Local\Temp\44DE.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\46B4.exe
C:\Users\Admin\AppData\Local\Temp\46B4.exe
C:\Users\Admin\AppData\Local\Temp\4964.exe
C:\Users\Admin\AppData\Local\Temp\4964.exe
C:\Users\Admin\AppData\Local\Temp\4BA7.exe
C:\Users\Admin\AppData\Local\Temp\4BA7.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1751707852712770215,312923102338884734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=158D.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7fffd91d46f8,0x7fffd91d4708,0x7fffd91d4718
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.92.42.5.in-addr.arpa | udp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| IT | 185.196.9.65:80 | tcp | |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| NL | 85.209.176.128:80 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 10.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.82.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.67:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| IE | 34.251.83.66:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.83.251.34.in-addr.arpa | udp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.8:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 20.189.173.8:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h2o.activebuy.top | udp |
| MD | 37.221.65.143:8443 | h2o.activebuy.top | tcp |
| US | 8.8.8.8:53 | hellouts.fun | udp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | 143.65.221.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 846ca480-5a0f-4a02-bb58-211d80dc353e.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| US | 8.8.8.8:53 | server7.realupdate.ru | udp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| BG | 185.82.216.96:443 | server7.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.1:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.96.114.188.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server7.realupdate.ru | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 135.125.238.108:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 108.238.125.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 51.15.58.224:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
| MD5 | 1227fce841a7bc05446eceec68e0ecb5 |
| SHA1 | 154acebc61b109c5c2af28852793de615967ae67 |
| SHA256 | 6e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2 |
| SHA512 | e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe
| MD5 | 1227fce841a7bc05446eceec68e0ecb5 |
| SHA1 | 154acebc61b109c5c2af28852793de615967ae67 |
| SHA256 | 6e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2 |
| SHA512 | e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
memory/3284-14-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3284-15-0x0000000073CE0000-0x0000000074490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SJ2322.exe
| MD5 | 7b0658726efae53263caea557af4a09f |
| SHA1 | 1b62993d8d6f55951812e2d4527c95177a1e90f3 |
| SHA256 | c44351e06ec6c7a1dd67ac4174f2b7be541e4ede28f00c09b0d2975f5d98921b |
| SHA512 | 410ee65d9cb71f3713380181996a5f78da38e1ae0be1cef22d60a93a1f081e4e4c17bbce2d0106ba5d8d97471412871a376c50663219362c6ac14af05ec129bf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SJ2322.exe
| MD5 | 7b0658726efae53263caea557af4a09f |
| SHA1 | 1b62993d8d6f55951812e2d4527c95177a1e90f3 |
| SHA256 | c44351e06ec6c7a1dd67ac4174f2b7be541e4ede28f00c09b0d2975f5d98921b |
| SHA512 | 410ee65d9cb71f3713380181996a5f78da38e1ae0be1cef22d60a93a1f081e4e4c17bbce2d0106ba5d8d97471412871a376c50663219362c6ac14af05ec129bf |
memory/3284-20-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/4588-21-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4588-22-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4588-23-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4588-25-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Yl18HD.exe
| MD5 | e1a131e21c3d8c2b50f4f45f765b8dc1 |
| SHA1 | 3fb12a4bf57fc64c56fc6480573e45d7444d2bce |
| SHA256 | 70284868f05259dfaad309074a4d3f082aa7e7de7a7e6094887ab1de399ca358 |
| SHA512 | 3d75dd456d11a60d8a56cf27a2730bde3c93cdd25f881ec3e528e7423a4bc430509f792cae554b7817ddef5b1d90327784c95257d2d1b92dc1c0c95534785ee4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Yl18HD.exe
| MD5 | e1a131e21c3d8c2b50f4f45f765b8dc1 |
| SHA1 | 3fb12a4bf57fc64c56fc6480573e45d7444d2bce |
| SHA256 | 70284868f05259dfaad309074a4d3f082aa7e7de7a7e6094887ab1de399ca358 |
| SHA512 | 3d75dd456d11a60d8a56cf27a2730bde3c93cdd25f881ec3e528e7423a4bc430509f792cae554b7817ddef5b1d90327784c95257d2d1b92dc1c0c95534785ee4 |
memory/4516-29-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4516-30-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2264-31-0x00000000036C0000-0x00000000036D6000-memory.dmp
memory/4516-32-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2264-35-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-36-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-38-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-39-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-37-0x0000000003960000-0x0000000003970000-memory.dmp
memory/2264-40-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-42-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-41-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-44-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-47-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-46-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-48-0x0000000003990000-0x00000000039A0000-memory.dmp
memory/2264-49-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-50-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-51-0x0000000003990000-0x00000000039A0000-memory.dmp
memory/2264-54-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-52-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-56-0x0000000003960000-0x0000000003970000-memory.dmp
memory/2264-55-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-58-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-57-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-61-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-60-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-62-0x0000000003990000-0x00000000039A0000-memory.dmp
memory/2264-63-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-65-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-64-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-68-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-66-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-70-0x0000000003950000-0x0000000003960000-memory.dmp
memory/2264-71-0x0000000003950000-0x0000000003960000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA1.exe
| MD5 | 9116658f4e155e7a053cc0e0f9fc1aed |
| SHA1 | ae52cef85d21c96b90d61b9ccf66cc6da52bb9da |
| SHA256 | 4a26a8c09c779f06c5aea4c99693a041583e2c1ebcfe339412aeecdda6946243 |
| SHA512 | 8fcc39f72e71482c966019ff6adc050c6547507f814994062fdb26109f2c7fe82748528d4414cea4328a14fa1f3a8c4b4bf3529707e05b358b016fdb19548d5f |
C:\Users\Admin\AppData\Local\Temp\EA1.exe
| MD5 | 9116658f4e155e7a053cc0e0f9fc1aed |
| SHA1 | ae52cef85d21c96b90d61b9ccf66cc6da52bb9da |
| SHA256 | 4a26a8c09c779f06c5aea4c99693a041583e2c1ebcfe339412aeecdda6946243 |
| SHA512 | 8fcc39f72e71482c966019ff6adc050c6547507f814994062fdb26109f2c7fe82748528d4414cea4328a14fa1f3a8c4b4bf3529707e05b358b016fdb19548d5f |
C:\Users\Admin\AppData\Local\Temp\F3E.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\F3E.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exe
| MD5 | ab812ed81d5bcda424814481ddbfd16c |
| SHA1 | 4d9ffd7aedb4f67922c5d31b8904ec8bfedad281 |
| SHA256 | d27388deee0b758f62721895e752b3b6ebc624b258da4525ab98823774c4e7fa |
| SHA512 | 6a6eac5b1910acc8603fbc5514b7ee4239036b84200de7f23d4b483076f26587b5625b93651674a2ae9c3ead342c283ce6f1edf34a9bddb8b210fd97dadeb91e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exe
| MD5 | ab812ed81d5bcda424814481ddbfd16c |
| SHA1 | 4d9ffd7aedb4f67922c5d31b8904ec8bfedad281 |
| SHA256 | d27388deee0b758f62721895e752b3b6ebc624b258da4525ab98823774c4e7fa |
| SHA512 | 6a6eac5b1910acc8603fbc5514b7ee4239036b84200de7f23d4b483076f26587b5625b93651674a2ae9c3ead342c283ce6f1edf34a9bddb8b210fd97dadeb91e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exe
| MD5 | b73d0f04343d9b5127606a3fc98cb171 |
| SHA1 | 75cf2d811bc27fdb2a628345cc3b2e78b6522a60 |
| SHA256 | 81289638915afd121cdb7945f7119bf15d7368d31455461f73cfef2c2c87fc21 |
| SHA512 | 255289249956c2c8d5e5debff2214640914f0344e42a8f048d11c1af7dd7a448ae17d9ce6882bc81e67afbddf1f7be9b4d29a6e0b0e86a00284322b61ab18664 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exe
| MD5 | b73d0f04343d9b5127606a3fc98cb171 |
| SHA1 | 75cf2d811bc27fdb2a628345cc3b2e78b6522a60 |
| SHA256 | 81289638915afd121cdb7945f7119bf15d7368d31455461f73cfef2c2c87fc21 |
| SHA512 | 255289249956c2c8d5e5debff2214640914f0344e42a8f048d11c1af7dd7a448ae17d9ce6882bc81e67afbddf1f7be9b4d29a6e0b0e86a00284322b61ab18664 |
C:\Users\Admin\AppData\Local\Temp\1105.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exe
| MD5 | 6036c3d4b0b7945039e4e74f4320f336 |
| SHA1 | 8db45c132c694627df80703b44bcd5aa46aa311e |
| SHA256 | 967fa3b0b2ea073277e20e1eb5c2d7a7ace1e0abe76acda1d164fee25ad13534 |
| SHA512 | 252b2cb9553a39dd0cb39566eab975ad00081889b0e4d10d194d8e7d0be411f1414ed919159727d1a75cda65fd735e499452e63becaf259cd96cc8b2f4a2841a |
C:\Users\Admin\AppData\Local\Temp\1039.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\1105.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
memory/1396-117-0x0000000000320000-0x000000000035E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11D2.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exe
| MD5 | 20c027908129d1d80508dabaf2a6f437 |
| SHA1 | e897e61f9dfc8196bab72e80c1efcf118d90bef9 |
| SHA256 | 3e0521460aa47978697056ce2a37d49b82402bd73782f9b85dd219fcac06d5c4 |
| SHA512 | 5f929a307ad5930d6a0f0289fb3b76136d5421fd4aef3e0495dc6ad96e4a81d605313efeed557939a4498a38d79cb4f9ace0b35abfbb9fd8a792c7c5e4795175 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exe
| MD5 | 20c027908129d1d80508dabaf2a6f437 |
| SHA1 | e897e61f9dfc8196bab72e80c1efcf118d90bef9 |
| SHA256 | 3e0521460aa47978697056ce2a37d49b82402bd73782f9b85dd219fcac06d5c4 |
| SHA512 | 5f929a307ad5930d6a0f0289fb3b76136d5421fd4aef3e0495dc6ad96e4a81d605313efeed557939a4498a38d79cb4f9ace0b35abfbb9fd8a792c7c5e4795175 |
memory/2320-129-0x0000000002360000-0x0000000002380000-memory.dmp
memory/2320-133-0x0000000073010000-0x00000000737C0000-memory.dmp
memory/2320-135-0x00000000049B0000-0x00000000049C0000-memory.dmp
memory/1396-141-0x0000000007110000-0x00000000071A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\131B.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mi256Fu.exe
| MD5 | e3403b7f02a1afcce3303d7f616863e4 |
| SHA1 | f8ba5ef789f0be6622336429014bfb23f798a843 |
| SHA256 | c9f99c90b1cb1644084114d08e1ee6d84d69523e21f1e718684dea2b7cd4afcf |
| SHA512 | 01e087bb190f95bb23376ddf742e1c4a91351756b94e636c36ff1cc59e449b4dcf73915a49edeec5844fe73528d289680a1a36293ff150aec79a3a4a89c3e338 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mi256Fu.exe
| MD5 | e3403b7f02a1afcce3303d7f616863e4 |
| SHA1 | f8ba5ef789f0be6622336429014bfb23f798a843 |
| SHA256 | c9f99c90b1cb1644084114d08e1ee6d84d69523e21f1e718684dea2b7cd4afcf |
| SHA512 | 01e087bb190f95bb23376ddf742e1c4a91351756b94e636c36ff1cc59e449b4dcf73915a49edeec5844fe73528d289680a1a36293ff150aec79a3a4a89c3e338 |
memory/2320-140-0x0000000004990000-0x00000000049AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\131B.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1396-156-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4604-151-0x0000000073010000-0x00000000737C0000-memory.dmp
memory/2320-150-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/1396-149-0x00000000072A0000-0x00000000072AA000-memory.dmp
memory/4604-152-0x0000000000AB0000-0x0000000000AEE000-memory.dmp
memory/2320-148-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/2320-138-0x00000000049B0000-0x00000000049C0000-memory.dmp
memory/2320-137-0x00000000049C0000-0x0000000004F64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\11D2.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/1396-116-0x0000000073010000-0x00000000737C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exe
| MD5 | 6036c3d4b0b7945039e4e74f4320f336 |
| SHA1 | 8db45c132c694627df80703b44bcd5aa46aa311e |
| SHA256 | 967fa3b0b2ea073277e20e1eb5c2d7a7ace1e0abe76acda1d164fee25ad13534 |
| SHA512 | 252b2cb9553a39dd0cb39566eab975ad00081889b0e4d10d194d8e7d0be411f1414ed919159727d1a75cda65fd735e499452e63becaf259cd96cc8b2f4a2841a |
memory/2320-158-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\158D.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/2320-160-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/2320-167-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/1396-172-0x00000000081F0000-0x0000000008808000-memory.dmp
memory/1396-176-0x0000000007440000-0x000000000754A000-memory.dmp
memory/2320-175-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/1396-177-0x0000000007370000-0x0000000007382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\158D.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/1396-184-0x00000000073D0000-0x000000000740C000-memory.dmp
memory/2320-190-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3400-193-0x0000000073010000-0x00000000737C0000-memory.dmp
memory/60-194-0x0000000000760000-0x000000000077E000-memory.dmp
memory/2320-196-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/60-198-0x0000000073010000-0x00000000737C0000-memory.dmp
memory/4400-200-0x0000000000400000-0x0000000000470000-memory.dmp
memory/60-202-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
memory/2320-205-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/2320-213-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21B5.exe
| MD5 | 6beaa4e2ea0db39aff347b9c04e8a0ba |
| SHA1 | e253f412caec1283ea8142a225e039233827d459 |
| SHA256 | 2be8c3b5bc8178e38982858a94f77e24e038910438c699f889421a01b65adadc |
| SHA512 | 4cf4c763486ca385b7f3825ddc57e8d0b9f8b326e8b0d02e5b2e24c115c48d6ed3b59f255331ff4a29bd7a2e7f4039440972968777460cb3d1ee31097a5e8e3e |
memory/2320-211-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3400-210-0x0000000007120000-0x0000000007130000-memory.dmp
memory/1396-207-0x0000000073010000-0x00000000737C0000-memory.dmp
memory/4400-201-0x00000000005D0000-0x000000000062A000-memory.dmp
memory/2320-199-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3400-192-0x0000000000150000-0x00000000001AA000-memory.dmp
memory/1396-191-0x0000000007550000-0x000000000759C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16C6.exe
| MD5 | 7f28547a6060699461824f75c96feaeb |
| SHA1 | 744195a7d3ef1aa32dcb99d15f73e26a20813259 |
| SHA256 | ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff |
| SHA512 | eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239 |
memory/2320-218-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\1948.exe
| MD5 | 20e21e63bb7a95492aec18de6aa85ab9 |
| SHA1 | 6cbf2079a42d86bf155c06c7ad5360c539c02b15 |
| SHA256 | 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17 |
| SHA512 | 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33 |
memory/2320-220-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/2320-183-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/2320-222-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21B5.exe
| MD5 | 6beaa4e2ea0db39aff347b9c04e8a0ba |
| SHA1 | e253f412caec1283ea8142a225e039233827d459 |
| SHA256 | 2be8c3b5bc8178e38982858a94f77e24e038910438c699f889421a01b65adadc |
| SHA512 | 4cf4c763486ca385b7f3825ddc57e8d0b9f8b326e8b0d02e5b2e24c115c48d6ed3b59f255331ff4a29bd7a2e7f4039440972968777460cb3d1ee31097a5e8e3e |
memory/2320-226-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1948.exe
| MD5 | 20e21e63bb7a95492aec18de6aa85ab9 |
| SHA1 | 6cbf2079a42d86bf155c06c7ad5360c539c02b15 |
| SHA256 | 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17 |
| SHA512 | 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33 |
memory/2320-227-0x0000000073010000-0x00000000737C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
memory/4604-171-0x0000000007AC0000-0x0000000007AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16C6.exe
| MD5 | 7f28547a6060699461824f75c96feaeb |
| SHA1 | 744195a7d3ef1aa32dcb99d15f73e26a20813259 |
| SHA256 | ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff |
| SHA512 | eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
memory/2320-247-0x00000000049B0000-0x00000000049C0000-memory.dmp
memory/2320-249-0x00000000049B0000-0x00000000049C0000-memory.dmp
\??\pipe\LOCAL\crashpad_880_ABHICPGUMJWLZPHN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3400-246-0x0000000007AE0000-0x0000000007B46000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f5cf3ce151dd69d2d3d840212dc36b36 |
| SHA1 | 27113de64283773ea5651060d35f85653c6f76e7 |
| SHA256 | e663aa5f46fb6b14d014d02c8738649f430dc60e08d6123aa25197a1bf316e74 |
| SHA512 | dfd8f8872e36f523a23659169bd2adbd2ecedf215fa1e3e341a2cfd4a0c5f64d3248ba5308b0eb42fac47fe022da7af8ed4ea301dbddca5af8a685fa445bc8a5 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f332ffb0cb5ae622bd9aadcb47751631 |
| SHA1 | 3ecfc1bbb2c9ad8b382edee471490ed2d2a952f1 |
| SHA256 | e233461c6dc5aa5e337f4ab9095b5b4aa1fac28468152fc5250b81213cab3478 |
| SHA512 | 925ec7439eaba5580ba2c161f633b945691bdb65f166fd0e21b9bf12f5308f486d1cbbb8514c40af8976911c52f5df54f99bc4c3147b038f9e35c751f153bb47 |
memory/3400-288-0x0000000009320000-0x0000000009396000-memory.dmp
memory/4604-301-0x0000000073010000-0x00000000737C0000-memory.dmp
memory/3400-305-0x00000000093A0000-0x00000000093BE000-memory.dmp
memory/3400-312-0x0000000009450000-0x00000000094A0000-memory.dmp
memory/1396-313-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/3400-314-0x000000000A6B0000-0x000000000A872000-memory.dmp
memory/3400-315-0x000000000ADB0000-0x000000000B2DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f5cf3ce151dd69d2d3d840212dc36b36 |
| SHA1 | 27113de64283773ea5651060d35f85653c6f76e7 |
| SHA256 | e663aa5f46fb6b14d014d02c8738649f430dc60e08d6123aa25197a1bf316e74 |
| SHA512 | dfd8f8872e36f523a23659169bd2adbd2ecedf215fa1e3e341a2cfd4a0c5f64d3248ba5308b0eb42fac47fe022da7af8ed4ea301dbddca5af8a685fa445bc8a5 |
memory/4604-317-0x0000000007AC0000-0x0000000007AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Temp\44DE.exe
| MD5 | 85fb3b5dffede43c9eb9510b19e440b4 |
| SHA1 | 6623493bbc3dd0fb63b8b8740b22d682e91204b1 |
| SHA256 | 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a |
| SHA512 | af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40 |
C:\Users\Admin\AppData\Local\Temp\44DE.exe
| MD5 | 85fb3b5dffede43c9eb9510b19e440b4 |
| SHA1 | 6623493bbc3dd0fb63b8b8740b22d682e91204b1 |
| SHA256 | 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a |
| SHA512 | af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40 |
C:\Users\Admin\AppData\Local\Temp\46B4.exe
| MD5 | 42d97769a8cfdfedac8e03f6903e076b |
| SHA1 | 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe |
| SHA256 | f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b |
| SHA512 | 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77 |
C:\Users\Admin\AppData\Local\Temp\4964.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\4964.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\46B4.exe
| MD5 | 42d97769a8cfdfedac8e03f6903e076b |
| SHA1 | 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe |
| SHA256 | f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b |
| SHA512 | 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77 |
C:\Users\Admin\AppData\Local\Temp\4BA7.exe
| MD5 | d5752c23e575b5a1a1cc20892462634a |
| SHA1 | 132e347a010ea0c809844a4d90bcc0414a11da3f |
| SHA256 | c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb |
| SHA512 | ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8 |
C:\Users\Admin\AppData\Local\Temp\4BA7.exe
| MD5 | d5752c23e575b5a1a1cc20892462634a |
| SHA1 | 132e347a010ea0c809844a4d90bcc0414a11da3f |
| SHA256 | c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb |
| SHA512 | ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8 |
memory/3088-371-0x00000000001C0000-0x00000000001DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 711b4f27fa6c6fb1295a741594c48c2c |
| SHA1 | 397f5a4b0783b847b48a8c787204b50881ba335a |
| SHA256 | da9897b32afbfd39bf04e4fded967c2d25c5430f8c16f89a2bfc6a5233e152bb |
| SHA512 | f12813ecf3b2e15c5e1a50a17d402b5aa96646dde53588a896b6bc11ec473dda00d08c7734696212d1a4d1c201b48a3a07b444ae8e013b228aa983fd665001cc |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0bce2fed456a72a2486b1d17621c88d6 |
| SHA1 | 4cbff382f76920526ec0bc81a05bfd372dd88229 |
| SHA256 | 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b |
| SHA512 | 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f59075e7f5aae6678d2769459c9125b4 |
| SHA1 | 411700e89c31b996ba13a9bfda71033af9806aec |
| SHA256 | eea8aa822a92e6c486cd46514c27d7ad0e184af2b07daccb5f1921500ec3a1d8 |
| SHA512 | 2f171bc4b70c3458ef80c1848a3c5241b08105194eea2ef1f2d6c6436be5c84d2a68d1ad8230903492a783025058308eecfc2c0850cbae9911866a21a1af59a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 699e3636ed7444d9b47772e4446ccfc1 |
| SHA1 | db0459ca6ceeea2e87e0023a6b7ee06aeed6fded |
| SHA256 | 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a |
| SHA512 | d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbbc4e4f.pke.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |