Analysis Overview
SHA256
1a6097ace0601a6126b4d85c06b6f207f8c79d8d29669ad0ced910cc88eb7700
Threat Level: Known bad
The file 1a6097ace0601a6126b4d85c06b6f207f8c79d8d29669ad0ced910cc88eb7700 was found to be: Known bad.
Malicious Activity Summary
Raccoon
RedLine payload
Modifies Windows Defender Real-time Protection settings
DcRat
Glupteba payload
Amadey
RedLine
Raccoon Stealer payload
Glupteba
Detect ZGRat V1
SmokeLoader
ZGRat
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Runs net.exe
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-25 04:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-25 04:58
Reported
2023-10-25 05:01
Platform
win10v2004-20231023-en
Max time kernel
119s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSD18F.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\K.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8405.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3A56.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos2.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ0vR6Nc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IT2Ok4Mi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\7107.exe'\"" | C:\Users\Admin\AppData\Local\Temp\7107.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7F8B.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vv4Dk3su.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qR1Rr4nu.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3772 set thread context of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\1a6097ace0601a6126b4d85c06b6f207f8c79d8d29669ad0ced910cc88eb7700.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4984 set thread context of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ku47YB5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4796 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\7A4F.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSD18F.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSD18F.tmp\Install.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8348.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\K.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1a6097ace0601a6126b4d85c06b6f207f8c79d8d29669ad0ced910cc88eb7700.exe
"C:\Users\Admin\AppData\Local\Temp\1a6097ace0601a6126b4d85c06b6f207f8c79d8d29669ad0ced910cc88eb7700.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\7F8B.exe
C:\Users\Admin\AppData\Local\Temp\7F8B.exe
C:\Users\Admin\AppData\Local\Temp\8048.exe
C:\Users\Admin\AppData\Local\Temp\8048.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81FE.bat" "
C:\Users\Admin\AppData\Local\Temp\82BB.exe
C:\Users\Admin\AppData\Local\Temp\82BB.exe
C:\Users\Admin\AppData\Local\Temp\8348.exe
C:\Users\Admin\AppData\Local\Temp\8348.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vv4Dk3su.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vv4Dk3su.exe
C:\Users\Admin\AppData\Local\Temp\8405.exe
C:\Users\Admin\AppData\Local\Temp\8405.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qR1Rr4nu.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qR1Rr4nu.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ0vR6Nc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ0vR6Nc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IT2Ok4Mi.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IT2Ok4Mi.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ku47YB5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ku47YB5.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf1dd46f8,0x7ffcf1dd4708,0x7ffcf1dd4718
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffcf1dd46f8,0x7ffcf1dd4708,0x7ffcf1dd4718
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,1949397614973591078,8409595171962760592,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,1949397614973591078,8409595171962760592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vx442OZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vx442OZ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2804 /prefetch:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4624 -ip 4624
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,18045356100541862526,17611218681037464243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
C:\Users\Admin\AppData\Roaming\shdugvt
C:\Users\Admin\AppData\Roaming\shdugvt
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\3A56.exe
C:\Users\Admin\AppData\Local\Temp\3A56.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\7107.exe
C:\Users\Admin\AppData\Local\Temp\7107.exe
C:\Users\Admin\AppData\Local\Temp\7A4F.exe
C:\Users\Admin\AppData\Local\Temp\7A4F.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\kos2.exe
"C:\Users\Admin\AppData\Local\Temp\kos2.exe"
C:\Users\Admin\AppData\Local\Temp\B0F0.exe
C:\Users\Admin\AppData\Local\Temp\B0F0.exe
C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\K.exe
"C:\Users\Admin\AppData\Local\Temp\K.exe"
C:\Users\Admin\AppData\Local\Temp\is-0G2JL.tmp\is-736N8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0G2JL.tmp\is-736N8.tmp" /SL4 $9020E "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224
C:\Users\Admin\AppData\Local\Temp\7zSC867.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\CB40.exe
C:\Users\Admin\AppData\Local\Temp\CB40.exe
C:\Users\Admin\AppData\Local\Temp\7zSD18F.tmp\Install.exe
.\Install.exe /MKdidA "385119" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\MyBurn\MyBurn.exe
"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 20
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 20
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPwSbvvjn" /SC once /ST 04:52:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4616 -ip 4616
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\MyBurn\MyBurn.exe
"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 600
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPwSbvvjn"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPwSbvvjn"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 05:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\mwYDRkr.exe\" 3Y /TJsite_idozw 385119 /S" /V1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| TR | 185.216.70.222:80 | tcp | |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| NL | 157.240.201.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| RU | 85.209.11.85:41140 | tcp | |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.34:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 34.26.214.95.in-addr.arpa | udp |
Files
memory/3280-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3280-1-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3288-2-0x0000000000E80000-0x0000000000E96000-memory.dmp
memory/3280-3-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7F8B.exe
| MD5 | 972727a79703ade151137b9e331e9a86 |
| SHA1 | 72736f9b3697aba00ee2ca8287f9d70447d3be94 |
| SHA256 | e449c675a93979ebe848d471ef011eafd64addbc560bff598d4d0e54f8b34ad5 |
| SHA512 | 1c81cb64596ace3d20b2bd1ed94b33c26f8f0c70f3974c7006590eb34b8464e0ceebdac14c3506d53fda58887935dc365ccf9bb59196d3c2b59475b86b006d4b |
C:\Users\Admin\AppData\Local\Temp\7F8B.exe
| MD5 | 972727a79703ade151137b9e331e9a86 |
| SHA1 | 72736f9b3697aba00ee2ca8287f9d70447d3be94 |
| SHA256 | e449c675a93979ebe848d471ef011eafd64addbc560bff598d4d0e54f8b34ad5 |
| SHA512 | 1c81cb64596ace3d20b2bd1ed94b33c26f8f0c70f3974c7006590eb34b8464e0ceebdac14c3506d53fda58887935dc365ccf9bb59196d3c2b59475b86b006d4b |
C:\Users\Admin\AppData\Local\Temp\8048.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\8048.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\82BB.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\81FE.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\82BB.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\8348.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\8348.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vv4Dk3su.exe
| MD5 | 02b57b802e202cbb151046018a9424b2 |
| SHA1 | b3ace6cf0b842ad25b959636cb559ff3845bf8cd |
| SHA256 | feafae3e9788e922b63a47ad705304511fd02af70a47666fbd526fdc148ee49e |
| SHA512 | 2c1ffcb098c05bc958d5791a557f6078a2d6802a005f33038207ca862c31b6ebc334d003ca78456443779a241855d9ad1b1ace05f4d108df78fd4dcb49b60105 |
C:\Users\Admin\AppData\Local\Temp\8405.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vv4Dk3su.exe
| MD5 | 02b57b802e202cbb151046018a9424b2 |
| SHA1 | b3ace6cf0b842ad25b959636cb559ff3845bf8cd |
| SHA256 | feafae3e9788e922b63a47ad705304511fd02af70a47666fbd526fdc148ee49e |
| SHA512 | 2c1ffcb098c05bc958d5791a557f6078a2d6802a005f33038207ca862c31b6ebc334d003ca78456443779a241855d9ad1b1ace05f4d108df78fd4dcb49b60105 |
C:\Users\Admin\AppData\Local\Temp\8405.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5nI22oj.exe
| MD5 | b2b19e7d4114484da91e940483597a58 |
| SHA1 | 792bc4a6b3e64dfa1281db93380c4ef3824c36f5 |
| SHA256 | 6a31c90e05f274b812cc05b70a3586cf661c92fb82837c873410bb793ccce325 |
| SHA512 | 46acdabee7bcdcb9472377ca9fcf1595259e623ca39d561328c39f56dbd6a174f305ce5dfc40247f59c209fba84f361613c1c065a30c2fa8695d3e2be31ce668 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qR1Rr4nu.exe
| MD5 | 3043ba5a8f8f9785ed2ff3187b14e5c5 |
| SHA1 | 07f5eb734c1c4475e6d4d9e514dc7f21e5408dbe |
| SHA256 | c1fc644c73ab1ac8d26e42c392010341026661f4fc144dea52d8e7be156cd1de |
| SHA512 | 1513d77c2817ff8dbb78397f3f7af3145c708165a8b2ad762d50a1e97b6c85a6caefc6b776120af8581471aa2f5a1e1160fe6aa3af10b8044ee145c025f3faa5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qR1Rr4nu.exe
| MD5 | 3043ba5a8f8f9785ed2ff3187b14e5c5 |
| SHA1 | 07f5eb734c1c4475e6d4d9e514dc7f21e5408dbe |
| SHA256 | c1fc644c73ab1ac8d26e42c392010341026661f4fc144dea52d8e7be156cd1de |
| SHA512 | 1513d77c2817ff8dbb78397f3f7af3145c708165a8b2ad762d50a1e97b6c85a6caefc6b776120af8581471aa2f5a1e1160fe6aa3af10b8044ee145c025f3faa5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ0vR6Nc.exe
| MD5 | 3b1203cd842bc9d0b9d76c28b0a693dc |
| SHA1 | ba749c19740dc706edcbcccde91c378cdaec4551 |
| SHA256 | 1727320e79822150daa703be28523b19bf75eaf64d16e9d7b0573933cd7a6e22 |
| SHA512 | 3248b60c8cb883fc40555297f8303b952312aaefd85af21dd47ffe7a38b683420a5740b4eb7d1210facfbce5b9bbbbdecc619844e1180fc8e3efbc10c3542f5f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ0vR6Nc.exe
| MD5 | 3b1203cd842bc9d0b9d76c28b0a693dc |
| SHA1 | ba749c19740dc706edcbcccde91c378cdaec4551 |
| SHA256 | 1727320e79822150daa703be28523b19bf75eaf64d16e9d7b0573933cd7a6e22 |
| SHA512 | 3248b60c8cb883fc40555297f8303b952312aaefd85af21dd47ffe7a38b683420a5740b4eb7d1210facfbce5b9bbbbdecc619844e1180fc8e3efbc10c3542f5f |
memory/2128-61-0x0000000000200000-0x000000000020A000-memory.dmp
memory/416-64-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/2128-56-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IT2Ok4Mi.exe
| MD5 | 656e5a534ceb767df8a16cd636ff573f |
| SHA1 | a51109253b074d4f2aa23a101cb053bd8a80a520 |
| SHA256 | 93e4a08cb5987285965ab6a7d30c3f9214ad826d9c88c87dce6f63b7ab5fc5c9 |
| SHA512 | d5827255e1abdf0cba72b29b51bc93e25a7c134fbffdd8a10db3b0fbe1bfc1a02d1c540dea13b9ac34a10847d747c3305b6a5912be71c68022fa0195417f4307 |
memory/416-66-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IT2Ok4Mi.exe
| MD5 | 656e5a534ceb767df8a16cd636ff573f |
| SHA1 | a51109253b074d4f2aa23a101cb053bd8a80a520 |
| SHA256 | 93e4a08cb5987285965ab6a7d30c3f9214ad826d9c88c87dce6f63b7ab5fc5c9 |
| SHA512 | d5827255e1abdf0cba72b29b51bc93e25a7c134fbffdd8a10db3b0fbe1bfc1a02d1c540dea13b9ac34a10847d747c3305b6a5912be71c68022fa0195417f4307 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ku47YB5.exe
| MD5 | 376ec4f75781c74ac70c0ecfa3fce854 |
| SHA1 | a6708f5e1a40067457f0d7306cc0533e17b799ec |
| SHA256 | e6414a76aaa77d854911c31728e27985a1960c27ed0d4666fd7625dac2e946d5 |
| SHA512 | 83d710cd01eec505e6dcab589d20b28813e585bcb783e264cf9aa83c253f5020cd57e0953c745906e988f40e9503114e75db9bcf2d89e03efac1b26ceccf28fb |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ku47YB5.exe
| MD5 | 376ec4f75781c74ac70c0ecfa3fce854 |
| SHA1 | a6708f5e1a40067457f0d7306cc0533e17b799ec |
| SHA256 | e6414a76aaa77d854911c31728e27985a1960c27ed0d4666fd7625dac2e946d5 |
| SHA512 | 83d710cd01eec505e6dcab589d20b28813e585bcb783e264cf9aa83c253f5020cd57e0953c745906e988f40e9503114e75db9bcf2d89e03efac1b26ceccf28fb |
memory/416-78-0x0000000007E60000-0x0000000008404000-memory.dmp
memory/416-79-0x00000000078B0000-0x0000000007942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/416-83-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/416-84-0x0000000007A50000-0x0000000007A5A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e9a87c8dba0154bb9bef5be9c239bf17 |
| SHA1 | 1c653df4130926b5a1dcab0b111066c006ac82ab |
| SHA256 | 5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5 |
| SHA512 | bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/416-98-0x0000000008A30000-0x0000000009048000-memory.dmp
memory/416-99-0x0000000007C00000-0x0000000007D0A000-memory.dmp
memory/416-100-0x0000000007B30000-0x0000000007B42000-memory.dmp
memory/416-101-0x0000000007B90000-0x0000000007BCC000-memory.dmp
memory/416-102-0x0000000007D10000-0x0000000007D5C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/4624-122-0x0000000000400000-0x0000000000434000-memory.dmp
\??\pipe\LOCAL\crashpad_1780_DNXCPUMPCOEQNSUY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/4624-118-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4624-117-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vx442OZ.exe
| MD5 | 50227bae42a1f76430313203f0e7444c |
| SHA1 | d9b17c80573854738159f4e2e841882a26f64206 |
| SHA256 | bf5db0d5bac9aecf30764e859276a345fef2b056c258cd146f8dde71532cdd11 |
| SHA512 | 6e0751c20fa4f0eb9f6d2393029bbe14d4d55115b65f1121159a32df76814ec6ba476c89e62c66e9548377ea2ed8a10a23acfcd7ebfc542259770bbd78385346 |
memory/4624-129-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vx442OZ.exe
| MD5 | 50227bae42a1f76430313203f0e7444c |
| SHA1 | d9b17c80573854738159f4e2e841882a26f64206 |
| SHA256 | bf5db0d5bac9aecf30764e859276a345fef2b056c258cd146f8dde71532cdd11 |
| SHA512 | 6e0751c20fa4f0eb9f6d2393029bbe14d4d55115b65f1121159a32df76814ec6ba476c89e62c66e9548377ea2ed8a10a23acfcd7ebfc542259770bbd78385346 |
\??\pipe\LOCAL\crashpad_116_RSKYEIQPHBINKAKA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 94cc9405a1c2fa04235f11df3be2a62a |
| SHA1 | b42e5e64be6ca1ad82ac9703bb2441416ddc4158 |
| SHA256 | b594278445def67323b720f10aff28a6f0270e0091aacbf280f2bf0af4889220 |
| SHA512 | 7079672f44c489f6465d703992c29c71214b33fa9e7a753a5d74b34912b2f8968fb686e5f7e1c86183888c0a0175defea1c87c1e88b134187e8941a6d4dfd587 |
memory/3724-136-0x0000000000190000-0x00000000001CE000-memory.dmp
memory/3724-137-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/3724-138-0x00000000070B0000-0x00000000070C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5a2ed9681b83a6846ed34064fb65a4f7 |
| SHA1 | 2145f987e54129744d7490a5278f95db91bc1ba0 |
| SHA256 | 162bc647912b7fe08ebbdf0e76bc9d4e541da2b6732837930f9a02fb1bf596bc |
| SHA512 | c5c33e03d82095f957aabc5492e49da1b216d45faee90e6c03bf8902277194ab2acb1bf53a29147b4bee7a33d6a4a73360dde85c634738b6eecc4ab3143555d9 |
memory/2128-162-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/416-163-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/2128-167-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bba59c61de375766c1d7abaa80771d1e |
| SHA1 | 3215927db79cdb8bbcb723df2e6be147ca156857 |
| SHA256 | 2bafcd694b4e143b0d6b2881f91f94c308f464f41ccfba9842600cae172d39db |
| SHA512 | fc2c99c14c7ac4cd930a7209790802f44ee7effc0c7fee56c72d5df23efeab854dbe018c89f3da579f5966e2c944fb8e799e586875f8381a0692c47feab9fee7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 94cc9405a1c2fa04235f11df3be2a62a |
| SHA1 | b42e5e64be6ca1ad82ac9703bb2441416ddc4158 |
| SHA256 | b594278445def67323b720f10aff28a6f0270e0091aacbf280f2bf0af4889220 |
| SHA512 | 7079672f44c489f6465d703992c29c71214b33fa9e7a753a5d74b34912b2f8968fb686e5f7e1c86183888c0a0175defea1c87c1e88b134187e8941a6d4dfd587 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3724-211-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93855665e8e0dffb925099fbf79d281d |
| SHA1 | e74141083922943bb3ce56c6c048e6bed6d227e0 |
| SHA256 | 41a041a96ba956ffb5039526f457905385c558af6ea47186df7d2e46427f2651 |
| SHA512 | 91f599961df5d253673c2edff1d8598248cbae6c061a00363b384b61e76e1dd2a14e8712408b975e964e7a042406a1a81718b79c396606cabfff81e03fb9b091 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 3a748249c8b0e04e77ad0d6723e564ff |
| SHA1 | 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729 |
| SHA256 | f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed |
| SHA512 | 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2 |
memory/3724-263-0x00000000070B0000-0x00000000070C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 83508e83268c6e64080b87252783d04d |
| SHA1 | 5ed27d40d4f06c149885d3aa65eceeb2099e9ca6 |
| SHA256 | 753dc5f772f47b9c6a933557c7c7989f2906282d135ebc191ed5d654fbd50092 |
| SHA512 | 3798a18934c4c25859d5bb9d969d9e0fc71ca7a9ab226a9fba05ee4f74321d8c21ad8010e7bc31564877c588c0f7f9f71299948ed278919c20e323baee98d748 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f72c.TMP
| MD5 | 3fac4aceeb78ee73f8f4c2cd64d04728 |
| SHA1 | c201ac91492bb7ddc1d2fd8111bc652c6fe41903 |
| SHA256 | e1302d8f1c947adc457e964c36cd39c8e686ddd95c1932b272e2ced3831fce9a |
| SHA512 | 057b00ef89bfaaa72d9d274b94b4aa189cdda016de6ea64a0c517e8151415a49351d4c315270c9408042ffa4c72424169c4b8371b2d0aafb48179521c94539d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7f4b998ec7cdd83568c41f771a12ad02 |
| SHA1 | 38bfd11ca69c2ab5faa0392a076057114fb30655 |
| SHA256 | 0c1726a71f6665080e2af4de29f8788cf6552015bd0169f20dc16ba0dc74bf40 |
| SHA512 | 17f7bf5b97b55afb2ee537e02e5a6f62e59684bdd7c27e5cdcad53894a7557cccfba668f584b2ff7247a7993c8e965013f500a2ade69ec1b26c4ecc307746e33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 28567e2f0774e1f8d63b53e55d75c415 |
| SHA1 | e2f00e1624a54fa9801575d4e2d9fbfad333541b |
| SHA256 | b19c1b6a251ee5ea7692f5fbf490cbcd61b8d416594fe05a77e99ca1d2465d05 |
| SHA512 | 39f4ebaefb0360c420cb954023b074483dfcf0c4444d364e5f0672730024004de3cc20a0cc648e5b1a31019a7e60ffed3717dce42aa9d500d1e2628384810166 |
C:\Users\Admin\AppData\Roaming\shdugvt
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
C:\Users\Admin\AppData\Roaming\shdugvt
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Temp\3A56.exe
| MD5 | ab873524526f037ab21e3cb17b874f01 |
| SHA1 | 0589229498b68ee0f329751ae130bd50261a19bd |
| SHA256 | 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc |
| SHA512 | 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11 |
C:\Users\Admin\AppData\Local\Temp\3A56.exe
| MD5 | ab873524526f037ab21e3cb17b874f01 |
| SHA1 | 0589229498b68ee0f329751ae130bd50261a19bd |
| SHA256 | 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc |
| SHA512 | 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11 |
memory/5216-346-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7107.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/5216-359-0x0000000000A60000-0x0000000001CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7107.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Temp\7A4F.exe
| MD5 | d62e850c9581a62c7ef484d60a713e3c |
| SHA1 | 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a |
| SHA256 | c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e |
| SHA512 | bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6 |
C:\Users\Admin\AppData\Local\Temp\7A4F.exe
| MD5 | d62e850c9581a62c7ef484d60a713e3c |
| SHA1 | 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a |
| SHA256 | c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e |
| SHA512 | bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6 |
memory/5100-369-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5100-370-0x0000000000550000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2aa70916a47ad55b25b51b15e07ded8e |
| SHA1 | 4eac7c1c0af31e01535a895041741f1e250aa034 |
| SHA256 | f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d |
| SHA512 | b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2aa70916a47ad55b25b51b15e07ded8e |
| SHA1 | 4eac7c1c0af31e01535a895041741f1e250aa034 |
| SHA256 | f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d |
| SHA512 | b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2aa70916a47ad55b25b51b15e07ded8e |
| SHA1 | 4eac7c1c0af31e01535a895041741f1e250aa034 |
| SHA256 | f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d |
| SHA512 | b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954 |
memory/5100-384-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/5100-385-0x00000000075C0000-0x00000000075D0000-memory.dmp
memory/5216-390-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1c01927ac6e677d4f277cb9f7648ca70 |
| SHA1 | 30d980c95b28c4856baef117e228d75e6a25e113 |
| SHA256 | c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a |
| SHA512 | 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1c01927ac6e677d4f277cb9f7648ca70 |
| SHA1 | 30d980c95b28c4856baef117e228d75e6a25e113 |
| SHA256 | c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a |
| SHA512 | 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1c01927ac6e677d4f277cb9f7648ca70 |
| SHA1 | 30d980c95b28c4856baef117e228d75e6a25e113 |
| SHA256 | c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a |
| SHA512 | 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e |
memory/4796-402-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/4796-403-0x0000000000850000-0x0000000000859000-memory.dmp
memory/5100-404-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2664-405-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2aa70916a47ad55b25b51b15e07ded8e |
| SHA1 | 4eac7c1c0af31e01535a895041741f1e250aa034 |
| SHA256 | f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d |
| SHA512 | b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954 |
memory/5100-407-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/2664-408-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5100-409-0x00000000075C0000-0x00000000075D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
memory/948-425-0x0000000002BE0000-0x0000000002FE7000-memory.dmp
memory/948-426-0x0000000002FF0000-0x00000000038DB000-memory.dmp
memory/3288-428-0x00000000033D0000-0x00000000033E6000-memory.dmp
memory/2664-429-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
C:\Users\Admin\AppData\Local\Temp\kos2.exe
| MD5 | 665db9794d6e6e7052e7c469f48de771 |
| SHA1 | ed9a3f9262f675a03a9f1f70856e3532b095c89f |
| SHA256 | c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196 |
| SHA512 | 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74 |
memory/4044-453-0x0000000000CE0000-0x0000000000E5E000-memory.dmp
memory/4044-458-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | b224196c88f09b615527b2df0e860e49 |
| SHA1 | f9ae161836a34264458d8c0b2a083c98093f1dec |
| SHA256 | 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8 |
| SHA512 | d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d |
memory/948-466-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Temp\K.exe
| MD5 | ac65407254780025e8a71da7b925c4f3 |
| SHA1 | 5c7ae625586c1c00ec9d35caa4f71b020425a6ba |
| SHA256 | 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e |
| SHA512 | 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab |
memory/4640-475-0x0000000000400000-0x0000000000413000-memory.dmp
memory/6032-487-0x00000000006D0000-0x00000000006D8000-memory.dmp
memory/948-485-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/4044-490-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/5216-489-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/6032-496-0x00007FFCEDEE0000-0x00007FFCEE9A1000-memory.dmp
memory/6032-497-0x000000001B390000-0x000000001B3A0000-memory.dmp
memory/948-498-0x0000000002BE0000-0x0000000002FE7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 802339d3087e4a4c6a168eeb20229c83 |
| SHA1 | 611ed2c3f93e10c378f574ec0b48b2c2aad2491a |
| SHA256 | 5303855de3b683b86c7cf8bc07b93b1b607b59c80475e843c2d1f358f0105ac7 |
| SHA512 | 7c8712d0a4170f3bbaaebdc396903576e235862ad711ee7979f2b15c25ce1cf4e221182c61a6519d9b45910be3e49a814d0271df2d62e484b1a0197fc47597c0 |
memory/5100-510-0x0000000008110000-0x0000000008176000-memory.dmp
memory/228-514-0x0000000000F00000-0x00000000012E0000-memory.dmp
memory/948-513-0x0000000002FF0000-0x00000000038DB000-memory.dmp
memory/228-515-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | ec6aae2bb7d8781226ea61adca8f0586 |
| SHA1 | d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3 |
| SHA256 | b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599 |
| SHA512 | aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7 |
memory/228-525-0x0000000005BA0000-0x0000000005C3C000-memory.dmp
memory/4068-527-0x0000000000B00000-0x00000000011EF000-memory.dmp
memory/4068-529-0x0000000010000000-0x000000001057B000-memory.dmp
memory/948-532-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/4772-533-0x00007FF62A730000-0x00007FF62B240000-memory.dmp
memory/4640-534-0x0000000000400000-0x0000000000413000-memory.dmp
memory/948-535-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/6140-536-0x00007FF72D660000-0x00007FF72DC01000-memory.dmp
memory/2744-537-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2744-541-0x0000000002210000-0x0000000002211000-memory.dmp
memory/6032-542-0x00007FFCEDEE0000-0x00007FFCEE9A1000-memory.dmp
memory/6032-552-0x000000001B390000-0x000000001B3A0000-memory.dmp
memory/228-553-0x0000000003510000-0x000000000351A000-memory.dmp
memory/228-554-0x0000000003530000-0x0000000003538000-memory.dmp
memory/228-555-0x0000000005CF0000-0x0000000005E82000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ee3af0590a9ad543889474dc366bb96b |
| SHA1 | fd3f6756065564979a162a6dafa2ed206669d0f7 |
| SHA256 | e998880ec6dddc78aa67af96a74b8aafe4c7eec23cc7b4bbd053a5afe3defb70 |
| SHA512 | 80d1fdf144b3cf64e4ab4727076470b56645272ce77fcad96f16a357338e6ec15214eb25d1ba1469fe2c9e9a906e3ae25dd2577af116e7351c9f448db0f8dbc8 |
memory/228-565-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/228-570-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/4068-571-0x0000000000B00000-0x00000000011EF000-memory.dmp
memory/228-573-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/4772-572-0x00007FF62A730000-0x00007FF62B240000-memory.dmp
memory/948-601-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/4616-607-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2744-606-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/4616-614-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5456-615-0x0000000000400000-0x0000000000627000-memory.dmp
memory/4616-620-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5456-621-0x0000000000400000-0x0000000000627000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gutnaxr4.a1w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4772-656-0x00007FF62A730000-0x00007FF62B240000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e879d0230512299f3f6f2984ae49f049 |
| SHA1 | 375c9b87decdd06922f860b41b3758facdd2641b |
| SHA256 | e5085ce927d575263e32e1c75f417881831f62b77c2b685aeaca8f3713343bf0 |
| SHA512 | 53bc06a7a1ce2c71e81e7b2112041709ba2fab9ba8236d14433b626538ec6db75c29e05840c8da3e20930b8433820211865f4513dc532a4f0add8b0c1f2a0c12 |
memory/6140-758-0x00007FF72D660000-0x00007FF72DC01000-memory.dmp
memory/4772-761-0x00007FF62A730000-0x00007FF62B240000-memory.dmp
memory/948-765-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2744-766-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/4092-770-0x0000000000400000-0x0000000000627000-memory.dmp