Analysis Overview
SHA256
45d00a5a9e3318ede8f8498d30816c73a5725138e9efd6ffdb7e5f8c1bb840cc
Threat Level: Known bad
The file 45d00a5a9e3318ede8f8498d30816c73a5725138e9efd6ffdb7e5f8c1bb840cc was found to be: Known bad.
Malicious Activity Summary
Glupteba
Detect ZGRat V1
RedLine payload
Raccoon
DcRat
RedLine
Amadey
Glupteba payload
Raccoon Stealer payload
SmokeLoader
ZGRat
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Windows security modification
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 07:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 07:00
Reported
2023-10-26 07:03
Platform
win10v2004-20231023-en
Max time kernel
55s
Max time network
107s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\45d00a5a9e3318ede8f8498d30816c73a5725138e9efd6ffdb7e5f8c1bb840cc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qi0mc8.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1406.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1406.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rt2xh74.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\942.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sq2Dh8qj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UO6Ry3ul.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mb8jm64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TD0Ay75.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yC7zl24.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\NE3QU36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG5lG0uG.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xe3qd3Cq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\5D27.exe'\"" | C:\Users\Admin\AppData\Local\Temp\5D27.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\45d00a5a9e3318ede8f8498d30816c73a5725138e9efd6ffdb7e5f8c1bb840cc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3956 set thread context of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1up18vy2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3596 set thread context of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ve7084.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2192 set thread context of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4mD449Wk.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4916 set thread context of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1IE11lN6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\1406.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F8F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45d00a5a9e3318ede8f8498d30816c73a5725138e9efd6ffdb7e5f8c1bb840cc.exe
"C:\Users\Admin\AppData\Local\Temp\45d00a5a9e3318ede8f8498d30816c73a5725138e9efd6ffdb7e5f8c1bb840cc.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mb8jm64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mb8jm64.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TD0Ay75.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TD0Ay75.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yC7zl24.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yC7zl24.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rt2xh74.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rt2xh74.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\NE3QU36.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\NE3QU36.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1up18vy2.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1up18vy2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ve7084.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ve7084.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4mD449Wk.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4mD449Wk.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qi0mc8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qi0mc8.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Fk7qJ7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Fk7qJ7.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fd8Gg47.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fd8Gg47.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D939.tmp\D93A.tmp\D93B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fd8Gg47.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbe68b46f8,0x7ffbe68b4708,0x7ffbe68b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbe68b46f8,0x7ffbe68b4708,0x7ffbe68b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe68b46f8,0x7ffbe68b4708,0x7ffbe68b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,15810180599717552482,11449780596194954306,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,15810180599717552482,11449780596194954306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11145335108054257010,17436447386418513378,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11145335108054257010,17436447386418513378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6348 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\942.exe
C:\Users\Admin\AppData\Local\Temp\942.exe
C:\Users\Admin\AppData\Local\Temp\B95.exe
C:\Users\Admin\AppData\Local\Temp\B95.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG5lG0uG.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG5lG0uG.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D4B.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sq2Dh8qj.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sq2Dh8qj.exe
C:\Users\Admin\AppData\Local\Temp\E17.exe
C:\Users\Admin\AppData\Local\Temp\E17.exe
C:\Users\Admin\AppData\Local\Temp\F8F.exe
C:\Users\Admin\AppData\Local\Temp\F8F.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xe3qd3Cq.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xe3qd3Cq.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UO6Ry3ul.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UO6Ry3ul.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe68b46f8,0x7ffbe68b4708,0x7ffbe68b4718
C:\Users\Admin\AppData\Local\Temp\1127.exe
C:\Users\Admin\AppData\Local\Temp\1127.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffbe68b46f8,0x7ffbe68b4708,0x7ffbe68b4718
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1IE11lN6.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1IE11lN6.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,806972578604639457,3191478592089236168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1406.exe
C:\Users\Admin\AppData\Local\Temp\1406.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1372 -ip 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 784
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2HZ773pY.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2HZ773pY.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 176
C:\Users\Admin\AppData\Local\Temp\5B03.exe
C:\Users\Admin\AppData\Local\Temp\5B03.exe
C:\Users\Admin\AppData\Local\Temp\5D27.exe
C:\Users\Admin\AppData\Local\Temp\5D27.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\612F.exe
C:\Users\Admin\AppData\Local\Temp\612F.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4244 -ip 4244
C:\Users\Admin\AppData\Local\Temp\7zS6702.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 784
C:\Users\Admin\AppData\Local\Temp\7zS6869.tmp\Install.exe
.\Install.exe /MKdidA "385119" /S
C:\Users\Admin\AppData\Local\Temp\6D75.exe
C:\Users\Admin\AppData\Local\Temp\6D75.exe
C:\Users\Admin\AppData\Local\Temp\is-1SD6H.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1SD6H.tmp\LzmwAqmV.tmp" /SL5="$5026A,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gruCwymYH" /SC once /ST 03:13:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gruCwymYH"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2192 -ip 2192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 572
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.179.182:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 182.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| DE | 172.217.23.194:443 | googleads.g.doubleclick.net | tcp |
| DE | 172.217.23.194:443 | googleads.g.doubleclick.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 194.23.217.172.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.97.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mb8jm64.exe
| MD5 | 18796f30a02957629e58e97beaddd244 |
| SHA1 | 51e49fecc208392b5176917c2b6c0c3ad8dc09de |
| SHA256 | ab46628b62358a5c0f96286d4d99844e59ac46a2f40942f3317c3139b15bb805 |
| SHA512 | 0b9cb8364f03682e12d810dbafe4efc3506a8a034818a49962f54534958a2cfa4c5c29539f45667bca170b20e375d1281ae56bc3358608db627f9efb31571722 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mb8jm64.exe
| MD5 | 18796f30a02957629e58e97beaddd244 |
| SHA1 | 51e49fecc208392b5176917c2b6c0c3ad8dc09de |
| SHA256 | ab46628b62358a5c0f96286d4d99844e59ac46a2f40942f3317c3139b15bb805 |
| SHA512 | 0b9cb8364f03682e12d810dbafe4efc3506a8a034818a49962f54534958a2cfa4c5c29539f45667bca170b20e375d1281ae56bc3358608db627f9efb31571722 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TD0Ay75.exe
| MD5 | e04f490c261da63c48979f657e7650b9 |
| SHA1 | 3760e63c9096b6cc2149daa07e28d8439d359bd7 |
| SHA256 | 235dea05e7f478997040492c9e44e0c5dfb6d1bb9b5cf567ecb339a951a5eb5c |
| SHA512 | 4db4895afbe899db4b2fc212a18d73a1ec241d2c9880d93eee897d993c55ef6881a9789ce57532d26e77b1217f2ba4200549c880095ae276c18eb46a5ad0733c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TD0Ay75.exe
| MD5 | e04f490c261da63c48979f657e7650b9 |
| SHA1 | 3760e63c9096b6cc2149daa07e28d8439d359bd7 |
| SHA256 | 235dea05e7f478997040492c9e44e0c5dfb6d1bb9b5cf567ecb339a951a5eb5c |
| SHA512 | 4db4895afbe899db4b2fc212a18d73a1ec241d2c9880d93eee897d993c55ef6881a9789ce57532d26e77b1217f2ba4200549c880095ae276c18eb46a5ad0733c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yC7zl24.exe
| MD5 | 685229f5c2350a479b91574ff3faf3dd |
| SHA1 | bfd12cfa6af49269d36e5134fea978a45e3b3bb7 |
| SHA256 | 153db1f514f7557cc8dda5227a962593915e8847dac3a5127fb7d6aa682de1b4 |
| SHA512 | bd2151b238bfa47096b4d9b96a546c867a796861c7b01c39494c28cea8e57a905f6d4845e734703da4b42c9e81381de10fce828c7b8557dc89d52c2905a773e7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yC7zl24.exe
| MD5 | 685229f5c2350a479b91574ff3faf3dd |
| SHA1 | bfd12cfa6af49269d36e5134fea978a45e3b3bb7 |
| SHA256 | 153db1f514f7557cc8dda5227a962593915e8847dac3a5127fb7d6aa682de1b4 |
| SHA512 | bd2151b238bfa47096b4d9b96a546c867a796861c7b01c39494c28cea8e57a905f6d4845e734703da4b42c9e81381de10fce828c7b8557dc89d52c2905a773e7 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rt2xh74.exe
| MD5 | a9606d11105185ac53fbdac759008c4a |
| SHA1 | 0bcbecea052a802a4f223395428692f14cdc1d47 |
| SHA256 | 370802f1c3f9419055e6244460adcec1bf1448774e6838a2aaee71952b6a1637 |
| SHA512 | bdeb12457a08c4ed3bac3dcbe13bacb240f9e4858bf193a1a8c16c3994e65e4888d14199df565b8579a94435282ef682f4cdba52816c53a21f761f2e27df2953 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rt2xh74.exe
| MD5 | a9606d11105185ac53fbdac759008c4a |
| SHA1 | 0bcbecea052a802a4f223395428692f14cdc1d47 |
| SHA256 | 370802f1c3f9419055e6244460adcec1bf1448774e6838a2aaee71952b6a1637 |
| SHA512 | bdeb12457a08c4ed3bac3dcbe13bacb240f9e4858bf193a1a8c16c3994e65e4888d14199df565b8579a94435282ef682f4cdba52816c53a21f761f2e27df2953 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\NE3QU36.exe
| MD5 | 9913ec6243f1cf92a23232d68adcb161 |
| SHA1 | 0d7c91c524914ff8e2c3d961e85bc4540a6ea191 |
| SHA256 | 562d3f5a880d2674462657803b6fe560796fa1d5e6b394c0fd47ccebf9463302 |
| SHA512 | 19fd759f256640ac5de6305c4fc79df5402cc8eb14b6247e6661c32229a995f6279d302f685777ebbcea2853a1a5bf75fb13f7809c4924d5e19d568625d84540 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\NE3QU36.exe
| MD5 | 9913ec6243f1cf92a23232d68adcb161 |
| SHA1 | 0d7c91c524914ff8e2c3d961e85bc4540a6ea191 |
| SHA256 | 562d3f5a880d2674462657803b6fe560796fa1d5e6b394c0fd47ccebf9463302 |
| SHA512 | 19fd759f256640ac5de6305c4fc79df5402cc8eb14b6247e6661c32229a995f6279d302f685777ebbcea2853a1a5bf75fb13f7809c4924d5e19d568625d84540 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1up18vy2.exe
| MD5 | 170173cf21fd19faa3d9f0c2d2eab8d8 |
| SHA1 | 31c4f2665e331ffb734a7fdee916a7862343a259 |
| SHA256 | e77b84989c5ffc9d82c6d4c735ac5e48d3f449bb66dfe909ad2cb4d5770e5589 |
| SHA512 | a6dcec0e29dd4d6dc96e72116d57d9385c0c4138618993432142dd8fa58ae1ac8b92f2416dd9ff1e7056612143f985c496ffccd78693e3c59b9ec02fb9726811 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1up18vy2.exe
| MD5 | 170173cf21fd19faa3d9f0c2d2eab8d8 |
| SHA1 | 31c4f2665e331ffb734a7fdee916a7862343a259 |
| SHA256 | e77b84989c5ffc9d82c6d4c735ac5e48d3f449bb66dfe909ad2cb4d5770e5589 |
| SHA512 | a6dcec0e29dd4d6dc96e72116d57d9385c0c4138618993432142dd8fa58ae1ac8b92f2416dd9ff1e7056612143f985c496ffccd78693e3c59b9ec02fb9726811 |
memory/1320-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ve7084.exe
| MD5 | 80051f7387edf6f514546c31e80c80d4 |
| SHA1 | 2c83dc07e6254c6214f0c0a16511bceffcd58bfa |
| SHA256 | 618e42a5a5815316a914c955f23a698cdf24fb63ac7cfcb1d94238bf97388689 |
| SHA512 | e42d24b74c0bb637e72661dbcf78c4dbab871809cdda25ff1e982b79c6b1475e7d7af0fe40990ff99d2966d55d296b4494be3feda981db3922ff8799bbe8039e |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ve7084.exe
| MD5 | 80051f7387edf6f514546c31e80c80d4 |
| SHA1 | 2c83dc07e6254c6214f0c0a16511bceffcd58bfa |
| SHA256 | 618e42a5a5815316a914c955f23a698cdf24fb63ac7cfcb1d94238bf97388689 |
| SHA512 | e42d24b74c0bb637e72661dbcf78c4dbab871809cdda25ff1e982b79c6b1475e7d7af0fe40990ff99d2966d55d296b4494be3feda981db3922ff8799bbe8039e |
memory/1320-46-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/2380-47-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2380-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2380-49-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2380-51-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe
| MD5 | a7a44eea4db1d7480be646e01be54352 |
| SHA1 | 2d8181b23f16cc5c9c5a92648c2c692eb507b98f |
| SHA256 | 58d8ddbfae85914657ee5edbb33b4277e01ce597a0abf3b56bda40d775ed165e |
| SHA512 | 07014b4ca1d20675c44ce2693a9eb961d0120ec209cd42011ef01041f48e844f865ac4d3bcd4640a81fa5fc13e49846f5a2a91ba814829caa20ca7f9572f7546 |
memory/2140-54-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wa35Np.exe
| MD5 | a7a44eea4db1d7480be646e01be54352 |
| SHA1 | 2d8181b23f16cc5c9c5a92648c2c692eb507b98f |
| SHA256 | 58d8ddbfae85914657ee5edbb33b4277e01ce597a0abf3b56bda40d775ed165e |
| SHA512 | 07014b4ca1d20675c44ce2693a9eb961d0120ec209cd42011ef01041f48e844f865ac4d3bcd4640a81fa5fc13e49846f5a2a91ba814829caa20ca7f9572f7546 |
memory/3316-56-0x0000000002160000-0x0000000002176000-memory.dmp
memory/2140-57-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4mD449Wk.exe
| MD5 | b2f55619061a6d3ca7b3e7e68e999c37 |
| SHA1 | 84b3c365f64b779275be267eca3c0fac563372e2 |
| SHA256 | b664b65eddae1b595b010f18da11b189d5695a9325116a8c9e9af038c4c9ff08 |
| SHA512 | 65f8eb672df894d8894c7bae006919910df1113452a02907d7d8577c3c5dc4d1d68449f8931121ce1454b451f87979f6414c13efedeea4fdc538784a1e504043 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4mD449Wk.exe
| MD5 | b2f55619061a6d3ca7b3e7e68e999c37 |
| SHA1 | 84b3c365f64b779275be267eca3c0fac563372e2 |
| SHA256 | b664b65eddae1b595b010f18da11b189d5695a9325116a8c9e9af038c4c9ff08 |
| SHA512 | 65f8eb672df894d8894c7bae006919910df1113452a02907d7d8577c3c5dc4d1d68449f8931121ce1454b451f87979f6414c13efedeea4fdc538784a1e504043 |
memory/1320-63-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/1320-65-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/4592-66-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qi0mc8.exe
| MD5 | 033d317eee5b16a3eab586d3172c9e91 |
| SHA1 | 9c2ebece96fad1d297fa0d9e8168aa6a78b94eaa |
| SHA256 | 51364f922ca2e84edb3a1d5e45123d9c292fa0c259ab9c54b050d5bd861b9fd1 |
| SHA512 | 226b8fe6d6fb419e1e939b0c97b530f0b24b48f7c8051824d249bb0c36d8f7f2a4b927d07521ceaeca89770e19e762b005b0b47fb832b2acb2f8e66d618e319f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qi0mc8.exe
| MD5 | 033d317eee5b16a3eab586d3172c9e91 |
| SHA1 | 9c2ebece96fad1d297fa0d9e8168aa6a78b94eaa |
| SHA256 | 51364f922ca2e84edb3a1d5e45123d9c292fa0c259ab9c54b050d5bd861b9fd1 |
| SHA512 | 226b8fe6d6fb419e1e939b0c97b530f0b24b48f7c8051824d249bb0c36d8f7f2a4b927d07521ceaeca89770e19e762b005b0b47fb832b2acb2f8e66d618e319f |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 033d317eee5b16a3eab586d3172c9e91 |
| SHA1 | 9c2ebece96fad1d297fa0d9e8168aa6a78b94eaa |
| SHA256 | 51364f922ca2e84edb3a1d5e45123d9c292fa0c259ab9c54b050d5bd861b9fd1 |
| SHA512 | 226b8fe6d6fb419e1e939b0c97b530f0b24b48f7c8051824d249bb0c36d8f7f2a4b927d07521ceaeca89770e19e762b005b0b47fb832b2acb2f8e66d618e319f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4592-73-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/4592-74-0x0000000007940000-0x0000000007EE4000-memory.dmp
memory/4592-75-0x0000000007430000-0x00000000074C2000-memory.dmp
memory/4592-77-0x0000000007560000-0x0000000007570000-memory.dmp
memory/4592-81-0x00000000074E0000-0x00000000074EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 033d317eee5b16a3eab586d3172c9e91 |
| SHA1 | 9c2ebece96fad1d297fa0d9e8168aa6a78b94eaa |
| SHA256 | 51364f922ca2e84edb3a1d5e45123d9c292fa0c259ab9c54b050d5bd861b9fd1 |
| SHA512 | 226b8fe6d6fb419e1e939b0c97b530f0b24b48f7c8051824d249bb0c36d8f7f2a4b927d07521ceaeca89770e19e762b005b0b47fb832b2acb2f8e66d618e319f |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 033d317eee5b16a3eab586d3172c9e91 |
| SHA1 | 9c2ebece96fad1d297fa0d9e8168aa6a78b94eaa |
| SHA256 | 51364f922ca2e84edb3a1d5e45123d9c292fa0c259ab9c54b050d5bd861b9fd1 |
| SHA512 | 226b8fe6d6fb419e1e939b0c97b530f0b24b48f7c8051824d249bb0c36d8f7f2a4b927d07521ceaeca89770e19e762b005b0b47fb832b2acb2f8e66d618e319f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Fk7qJ7.exe
| MD5 | f7c43455d88c04e8f7fe27872426cb03 |
| SHA1 | dbfb76fb09a76c1cb81c5622b801ad28bddd5428 |
| SHA256 | a8efa4e45c712e7b5a993f93788145e6639c9c32a1fec30ddd10c0cda787f809 |
| SHA512 | 0cca85152f382828ab7775c005b19ec1bbd7b171f212421669d06174e00c75e2d9a6233cf4e6cab30bb0ce100c3edb904cb6299a18f3efc78acd4073a50fb67f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Fk7qJ7.exe
| MD5 | f7c43455d88c04e8f7fe27872426cb03 |
| SHA1 | dbfb76fb09a76c1cb81c5622b801ad28bddd5428 |
| SHA256 | a8efa4e45c712e7b5a993f93788145e6639c9c32a1fec30ddd10c0cda787f809 |
| SHA512 | 0cca85152f382828ab7775c005b19ec1bbd7b171f212421669d06174e00c75e2d9a6233cf4e6cab30bb0ce100c3edb904cb6299a18f3efc78acd4073a50fb67f |
memory/4592-88-0x0000000008510000-0x0000000008B28000-memory.dmp
memory/4592-89-0x0000000007830000-0x000000000793A000-memory.dmp
memory/4592-90-0x00000000075C0000-0x00000000075D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fd8Gg47.exe
| MD5 | 802f42b28d3fb92e8359c45464b7b957 |
| SHA1 | 94aa5971ec40b0937d43a6f3fbe430b24d301951 |
| SHA256 | 00c843d172786bb57b53f35be5e4215d5100328d834a182870f5ce92d880ab24 |
| SHA512 | 320dc90055a150ca597e31095305b693ea38f33cbefa17b51d3bf18ce8d0b4044899813591e9ffa6da3e58e43164fe62f399faf08c737146e99c7d378272e044 |
memory/4592-93-0x0000000007720000-0x000000000775C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fd8Gg47.exe
| MD5 | 802f42b28d3fb92e8359c45464b7b957 |
| SHA1 | 94aa5971ec40b0937d43a6f3fbe430b24d301951 |
| SHA256 | 00c843d172786bb57b53f35be5e4215d5100328d834a182870f5ce92d880ab24 |
| SHA512 | 320dc90055a150ca597e31095305b693ea38f33cbefa17b51d3bf18ce8d0b4044899813591e9ffa6da3e58e43164fe62f399faf08c737146e99c7d378272e044 |
memory/4592-94-0x0000000007760000-0x00000000077AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D939.tmp\D93A.tmp\D93B.bat
| MD5 | 376a9f688d0224a448db8acbf154f0dc |
| SHA1 | 4b36f19dc23654c9333289c37e454fe09ea28ab5 |
| SHA256 | 7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a |
| SHA512 | a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | df4fb359f7b2fa8af30bf98045c57c44 |
| SHA1 | 6d507359e1fd5be8f7c01fd4b291f81cf9561378 |
| SHA256 | 5ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc |
| SHA512 | 92195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | df4fb359f7b2fa8af30bf98045c57c44 |
| SHA1 | 6d507359e1fd5be8f7c01fd4b291f81cf9561378 |
| SHA256 | 5ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc |
| SHA512 | 92195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_4404_ZTXUXYCLLIYBHIBZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_3120_SQYQUFPAGMINDPCL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e7f6d50a-4ef4-4468-a1d0-e21861dc9736.tmp
| MD5 | 9e58aa7e8068cc4f2b962d81ffd65483 |
| SHA1 | 25a819c3ce1145b641d0c6d43b8f8d452171504c |
| SHA256 | cb98f312421e513e1c6ed921de3621a822602a4280ca63c1974ab1d59529cff2 |
| SHA512 | 8025d3006e88a13ed2bcc8cba2bf84dcdfb9ea79a5d06e4b6343f300db60f816049e10bc91b2b519d3857ae2fba82ed49292f1e5a332897e42b15a8292cbaf3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 02086b97111ad60d0f4bcfaac9b52fcf |
| SHA1 | 4d855a558b92b3b27406eae1108f8296574a2367 |
| SHA256 | ece6f244aa851758ab29008a4aae00213ebd121816feb9d6283dd857cd533021 |
| SHA512 | c38644479885b2a9ba50e8f30c9549296cb009874088bfdb33711c53388b1cfb5219f099371b1489f7f113cea452438e120f74f16dc8232edf9a08cb121db425 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 02086b97111ad60d0f4bcfaac9b52fcf |
| SHA1 | 4d855a558b92b3b27406eae1108f8296574a2367 |
| SHA256 | ece6f244aa851758ab29008a4aae00213ebd121816feb9d6283dd857cd533021 |
| SHA512 | c38644479885b2a9ba50e8f30c9549296cb009874088bfdb33711c53388b1cfb5219f099371b1489f7f113cea452438e120f74f16dc8232edf9a08cb121db425 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9e58aa7e8068cc4f2b962d81ffd65483 |
| SHA1 | 25a819c3ce1145b641d0c6d43b8f8d452171504c |
| SHA256 | cb98f312421e513e1c6ed921de3621a822602a4280ca63c1974ab1d59529cff2 |
| SHA512 | 8025d3006e88a13ed2bcc8cba2bf84dcdfb9ea79a5d06e4b6343f300db60f816049e10bc91b2b519d3857ae2fba82ed49292f1e5a332897e42b15a8292cbaf3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 02086b97111ad60d0f4bcfaac9b52fcf |
| SHA1 | 4d855a558b92b3b27406eae1108f8296574a2367 |
| SHA256 | ece6f244aa851758ab29008a4aae00213ebd121816feb9d6283dd857cd533021 |
| SHA512 | c38644479885b2a9ba50e8f30c9549296cb009874088bfdb33711c53388b1cfb5219f099371b1489f7f113cea452438e120f74f16dc8232edf9a08cb121db425 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 464643a72fd2bb1333c2c355288cb903 |
| SHA1 | 57e4c8559cd30828977ad49b95d16b6b7b5cc5ce |
| SHA256 | 9791bf9247070fa8bb63e25ea04cccaaf1a8e253124c4cbafb5c5c07f541e235 |
| SHA512 | cff56ad24f96b826161ca9a0e453c7533a633535021ce73c79b944355e4249344ad34ee0f65025e30c9d654edfff9da56e6ebe35f63a8f619447c725a2b6240a |
memory/4592-286-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/4592-297-0x0000000007560000-0x0000000007570000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 4b05639fd2db47a5474bd18f451b117a |
| SHA1 | 2a83cdb799961c2a49d04869fe4f0974184ac610 |
| SHA256 | f4b0b3d33bf3e738df8c15cc00ec80d47e2c51ac8139114cd26e4ef74c13303e |
| SHA512 | 467d36b01e0c12c4c3cc878dfb95efd599132043d740b6b615fa568bfa5b7f91d36c5156198dc156f9e0093fd9a096bb853ba9ec0fbee69179a1d8a51b1600a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9e58aa7e8068cc4f2b962d81ffd65483 |
| SHA1 | 25a819c3ce1145b641d0c6d43b8f8d452171504c |
| SHA256 | cb98f312421e513e1c6ed921de3621a822602a4280ca63c1974ab1d59529cff2 |
| SHA512 | 8025d3006e88a13ed2bcc8cba2bf84dcdfb9ea79a5d06e4b6343f300db60f816049e10bc91b2b519d3857ae2fba82ed49292f1e5a332897e42b15a8292cbaf3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a0f96ce85a47ae7b7c8e4264e48b34ac |
| SHA1 | 5a6056d3a1c0f2ba1ae0cb7bcd2953a4e0aa8152 |
| SHA256 | a9f42ef3148ce8b840af8ec729efcc2352acbb08182eabc00881194fba3b19c6 |
| SHA512 | a00fde41c637e69b52695ef2129cc3ec98467e4c399f6117c7e4b6b29b0b249b64886f0cf85f3f64bc19db880b64077f574f10f74929c0cd614bc41002a2bfc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | c48e2d00ea96e83f58db7fdabb49e5ee |
| SHA1 | 943ba5da0a57d6cbb7da8b9f9ecf57273a0a1bb6 |
| SHA256 | 455d27a978e337861e3bc251785ea9a33afd98cf0c28b78ca2644eac283f1ae3 |
| SHA512 | a25e7538636e10b9d327b9750f394d2f3a0ef3552821e480f187b9300a5db982e5435756cf20fc11128341b01eee91ece191bbab1c4da6ce086f7c773255e9eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | d00f482fd025bb627f0e29e35900aaa6 |
| SHA1 | 836d23a356815736d32ca5307e6366eccf6faafa |
| SHA256 | cbc2f5812c7ef02b787186e0dcea3aa4d0b9a53501befb89e306fc6a41d6f5e2 |
| SHA512 | 54f3368cfadcc8abf02fae38400156d79294d00d0ff0a616f114e6f34b23175daf8421f07677dfe7c05ce06409dd1a13542a9bd3b1b18d724399557166f0798c |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 033d317eee5b16a3eab586d3172c9e91 |
| SHA1 | 9c2ebece96fad1d297fa0d9e8168aa6a78b94eaa |
| SHA256 | 51364f922ca2e84edb3a1d5e45123d9c292fa0c259ab9c54b050d5bd861b9fd1 |
| SHA512 | 226b8fe6d6fb419e1e939b0c97b530f0b24b48f7c8051824d249bb0c36d8f7f2a4b927d07521ceaeca89770e19e762b005b0b47fb832b2acb2f8e66d618e319f |
C:\Users\Admin\AppData\Local\Temp\942.exe
| MD5 | fd77c40a0754d5f92b5a47ccec318850 |
| SHA1 | 39b6489f498b476f362174205c5666e27eed3dc3 |
| SHA256 | 35d1ce398d92c9e83c5867b0174a76ce489739014f184480adb1e9b899c1bb61 |
| SHA512 | ebb37eb4059253411e8481a4a941d64a9c355864d871a044727ac6770130bea5ad31fda59b7672f7d5f512713da073ccc08c05042b5aaa730828de28c80af9a3 |
C:\Users\Admin\AppData\Local\Temp\942.exe
| MD5 | fd77c40a0754d5f92b5a47ccec318850 |
| SHA1 | 39b6489f498b476f362174205c5666e27eed3dc3 |
| SHA256 | 35d1ce398d92c9e83c5867b0174a76ce489739014f184480adb1e9b899c1bb61 |
| SHA512 | ebb37eb4059253411e8481a4a941d64a9c355864d871a044727ac6770130bea5ad31fda59b7672f7d5f512713da073ccc08c05042b5aaa730828de28c80af9a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aff49acc70194fc054218a2217f04811 |
| SHA1 | b99276123c1ec1dee86b730813e4458ef1639a46 |
| SHA256 | fbf7f8828b06c5ed6ea63078050e6564feff7dcb2b2952ac7ee2ae28849621e8 |
| SHA512 | dfb3bca12b65f5b5aefbfeb46f634eb086fdd56ba20466dcb35acb1fefd6eb0dd603d1a067bbe9e057127dd00db404e71fe036c3a7cf84810de1b1ab2add4501 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Nv26Jm.exe
| MD5 | 9ce373b726759a57b7636a2ce6f6be03 |
| SHA1 | f456089b33130370d0990063eac0b73dc3b93ecb |
| SHA256 | 3fa2e09fb23dad3853d3042682af78fd07793adc2eb232edeeb1d3c54f9b6599 |
| SHA512 | 3171d5aacd0c9be970a4cf1baa7e68903acaa554cde5400da73889055c0854fbdcdfb24aadf8f3ce25352a46e45e8137601f5bb537599df8c962cb81a27ee30a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 918ecd7940dcab6b9f4b8bdd4d3772b2 |
| SHA1 | 7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4 |
| SHA256 | 3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175 |
| SHA512 | c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\B95.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\B95.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\B95.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
memory/5288-394-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5952-403-0x0000000000B30000-0x0000000000B3A000-memory.dmp
memory/5952-405-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5288-411-0x0000000007AD0000-0x0000000007AE0000-memory.dmp
memory/1372-428-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1372-437-0x0000000000550000-0x00000000005AA000-memory.dmp
memory/1372-448-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/1372-458-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1372-459-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5008-461-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5008-462-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5008-464-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5456-467-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5456-466-0x00000000007A0000-0x00000000007DE000-memory.dmp
memory/5288-468-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5456-469-0x00000000076E0000-0x00000000076F0000-memory.dmp
memory/5952-480-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5288-510-0x0000000007AD0000-0x0000000007AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0401f316b65221e5cddc6299a26cb5c9 |
| SHA1 | bf55483db4e092653f323b085946c07b623aeb92 |
| SHA256 | 557cc71aad81dfd54ff903f0cbc6b92754ca2ce4038a750ad1f3f3a713dd0215 |
| SHA512 | 6e1b309f553ea4ffbddbc8d7deb0c8f0839780c694bde9bffc29b0bcc5b61d6c57469a673a4e9d60c53cc7c69de0c51a2c42a1d3428a240e5f3c3d5165eb61bb |
memory/5952-567-0x0000000074750000-0x0000000074F00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 57826e3b2c4633d1e7d835c900abeed1 |
| SHA1 | c82ee62cc501b3f96803e95d5210ef66062c2d0a |
| SHA256 | 56dee2d64bb89b8128f9e006d4aa48a717025640e8207903744347939afce4f2 |
| SHA512 | 317db4d01abedf35835a1de40beaf19c886cbd9c9a4443f34d4c0d7d2563bb989176a7a2151974b18579a999616c255aa9795bdacb855aeb71a05e74e95c0dbe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583b5e.TMP
| MD5 | 57fbfb1039f0d85545b18ef9a5c771c6 |
| SHA1 | f31c19021423d5c580bb9f8c78cee31a6b81f935 |
| SHA256 | 2ad898ee764e20fb007b808e80925d1e5e40cd8a099898c45f8833f8f3089bbc |
| SHA512 | 866bdb3363fd4242f7ca0595113750a3f360b4a6e2bb0f4f58a115e67e90506a84cec7f9d37d488a39797ed6d9515559f9522771ba9b9cfeba673606e7e2fb14 |
memory/5456-577-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5456-578-0x00000000076E0000-0x00000000076F0000-memory.dmp
memory/5588-581-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5588-584-0x0000000000870000-0x00000000019A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6a085a5ce478080d06a5035eaee7d97c |
| SHA1 | 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb |
| SHA256 | 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457 |
| SHA512 | 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 498af485852079b7064dd1675377809f |
| SHA1 | a6a36a996b5f1d2dab2eb4232f65275cb1df4030 |
| SHA256 | e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6 |
| SHA512 | 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
memory/5300-610-0x0000000002100000-0x0000000002109000-memory.dmp
memory/4244-611-0x0000000000550000-0x00000000005AA000-memory.dmp
memory/5300-612-0x0000000000860000-0x0000000000960000-memory.dmp
memory/4244-608-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5192-614-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5192-618-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4244-632-0x0000000074750000-0x0000000074F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/4048-634-0x0000000000280000-0x0000000000288000-memory.dmp
memory/4048-640-0x00007FFBE2CF0000-0x00007FFBE37B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4048-641-0x00000000024D0000-0x00000000024E0000-memory.dmp
memory/5804-644-0x0000000002E20000-0x000000000370B000-memory.dmp
memory/5588-645-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/5804-646-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5804-647-0x0000000002920000-0x0000000002D20000-memory.dmp
memory/1100-653-0x00000000000D0000-0x00000000007BF000-memory.dmp
memory/1708-654-0x00000000008F0000-0x0000000000CD0000-memory.dmp
memory/1708-655-0x00000000054E0000-0x000000000557C000-memory.dmp
memory/1708-657-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/1100-658-0x0000000010000000-0x000000001057B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 4c0afce655ffa1106db5d95d4904c2ae |
| SHA1 | 58b6361d0bf9ba330176fd2af536c412070e210f |
| SHA256 | b16a234100883bbac2ed0810586d99b5b276498ed33a21b3549d41240a5bd240 |
| SHA512 | ff54e9564c3a0534693bdf70942d26136357544e15289e75f1e1448fe6cfb7e4e25149a0b60bcec95a93e54cb9d7bce78a28f4cdd38c06e935c8c6f8b508a2a5 |
memory/5284-672-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4244-675-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4244-677-0x0000000074750000-0x0000000074F00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 80c459b252ac4310a4df5550f2417def |
| SHA1 | 09814b04213b469513b8bc56e2b4bf415f6c6c68 |
| SHA256 | dcb70736ef3fca05a8d622fa8e78b2fb470cc07689543279fd1383826700788b |
| SHA512 | d75122153d440159db3f9666e04448591e0ee82f154d84c5b24f17b7e48f61b965f4e7215a2429f9db0559acdb0c1f378917f146484fdf2528209922791f7243 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/5192-697-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4048-696-0x00007FFBE2CF0000-0x00007FFBE37B1000-memory.dmp
memory/3316-695-0x0000000002770000-0x0000000002786000-memory.dmp
memory/5708-715-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 76acbc93c34272eb53997c70304f3b32 |
| SHA1 | c49315752203bffb6344c8543a6507c5d186c5d8 |
| SHA256 | d63d1f64e8def84402dc75be53a9480a12a1b72d89f42fbadd7d8645cb9c83f1 |
| SHA512 | 3963115099942326724bc546c29b03a0e69f1375b78cf058923b247747a3d49be2b6f345b52024e920a3a865c83e2e8de3f5b9789b71a5bf4943e25555224950 |
memory/2192-776-0x0000000000400000-0x0000000000636000-memory.dmp
memory/5804-775-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2192-777-0x0000000000400000-0x0000000000636000-memory.dmp
memory/2192-779-0x0000000000400000-0x0000000000636000-memory.dmp
memory/4740-782-0x00007FF7CCDF0000-0x00007FF7CD391000-memory.dmp
memory/5804-786-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2848-787-0x0000000000400000-0x0000000000636000-memory.dmp
memory/5804-788-0x0000000002920000-0x0000000002D20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | bde3dcfd68eaf60521b1e5f7e29543fd |
| SHA1 | 0b8819ade84ced7ffc8fb3c6de6493d32c4cc6d5 |
| SHA256 | ea54d77d56aa76d0699ad8b67b1d4eb98e9f18efc0830b778deb6e1771b94467 |
| SHA512 | 0dfcf192b22d9491c2e234381fbc65660a6510bf3454b0de067a48aee7e0f489c53e68814524a3187c255a9c2528780150cbcb8b6c4e6f45ad400a037f0aed56 |
memory/1100-807-0x00000000000D0000-0x00000000007BF000-memory.dmp
memory/1708-808-0x0000000005470000-0x0000000005478000-memory.dmp
memory/1708-806-0x0000000005450000-0x000000000545A000-memory.dmp
memory/2192-829-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4aanqn5t.4p1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2192-840-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2192-849-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |