Analysis Overview
SHA256
1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b
Threat Level: Known bad
The file 1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b was found to be: Known bad.
Malicious Activity Summary
Glupteba
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
Amadey
ZGRat
Glupteba payload
Raccoon
RedLine
Detect ZGRat V1
Raccoon Stealer payload
Modifies Windows Defender Real-time Protection settings
DcRat
RedLine payload
Drops file in Drivers directory
Modifies Windows Firewall
Downloads MZ/PE file
Stops running service(s)
Reads user/profile data of web browsers
Executes dropped EXE
Windows security modification
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 08:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 08:13
Reported
2023-10-26 08:16
Platform
win10v2004-20231023-en
Max time kernel
93s
Max time network
157s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1752 created 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1752 created 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1752 created 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1752 created 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1752 created 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7DAC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9879.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7EB7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7EB7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\9A9D.exe'\"" | C:\Users\Admin\AppData\Local\Temp\9A9D.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7A3C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3820 set thread context of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1108 set thread context of 5840 | N/A | C:\Users\Admin\AppData\Local\Temp\A463.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3204 set thread context of 5984 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4364 set thread context of 6068 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Drive Tools\is-2PIL8.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-DQGSI.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-5DV4U.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-J7RLE.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-9B0RE.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-1FH92.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\zDriveTools.exe | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-TO13U.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-6UEO5.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\Lang\is-Q64NC.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2UQDS.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-Q69EF.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-SD465.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-3H7GU.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-MESDL.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-TVKF8.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-MPRLA.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-UBOBD.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-LLEIT.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-ILBID.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-UK9NO.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-E5230.tmp | C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\7EB7.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7EB7.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7D1E.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A463.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe
"C:\Users\Admin\AppData\Local\Temp\1ebe0ad8b3bc8ea05f93e39fdda5441263a5c3110fb3991bafeddb3fb331d26b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\7A3C.exe
C:\Users\Admin\AppData\Local\Temp\7A3C.exe
C:\Users\Admin\AppData\Local\Temp\7B18.exe
C:\Users\Admin\AppData\Local\Temp\7B18.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BE4.bat" "
C:\Users\Admin\AppData\Local\Temp\7CA0.exe
C:\Users\Admin\AppData\Local\Temp\7CA0.exe
C:\Users\Admin\AppData\Local\Temp\7D1E.exe
C:\Users\Admin\AppData\Local\Temp\7D1E.exe
C:\Users\Admin\AppData\Local\Temp\7DAC.exe
C:\Users\Admin\AppData\Local\Temp\7DAC.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
C:\Users\Admin\AppData\Local\Temp\7EB7.exe
C:\Users\Admin\AppData\Local\Temp\7EB7.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff810b046f8,0x7ff810b04708,0x7ff810b04718
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 224 -ip 224
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 792
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810b046f8,0x7ff810b04708,0x7ff810b04718
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\9879.exe
C:\Users\Admin\AppData\Local\Temp\9879.exe
C:\Users\Admin\AppData\Local\Temp\9A9D.exe
C:\Users\Admin\AppData\Local\Temp\9A9D.exe
C:\Users\Admin\AppData\Local\Temp\9CA2.exe
C:\Users\Admin\AppData\Local\Temp\9CA2.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\A463.exe
C:\Users\Admin\AppData\Local\Temp\A463.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2888 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2940 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,15103402643162731615,17550131249319213560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp" /SL5="$C01DC,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5984 -ip 5984
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5840 -ip 5840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 540
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12117135881609447139,17778233830271467621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Users\Admin\AppData\Local\Temp\478A.exe
C:\Users\Admin\AppData\Local\Temp\478A.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| RU | 85.209.11.85:41140 | tcp | |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.96.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.71:4341 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| NL | 194.169.175.235:42691 | tcp | |
| US | 8.8.8.8:53 | 235.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | a7cd5829-71c3-4b99-a58e-42196ad1275b.uuid.datadumpcloud.org | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| PL | 51.68.143.81:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.143.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server14.datadumpcloud.org | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server14.datadumpcloud.org | tcp |
| IN | 172.253.121.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| BG | 185.82.216.104:443 | server14.datadumpcloud.org | tcp |
| FI | 77.91.124.86:19084 | tcp |
Files
memory/4672-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4672-1-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4672-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3232-2-0x0000000002A00000-0x0000000002A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7A3C.exe
| MD5 | 51aa2ee477e0d873898ad3d8e4d5d235 |
| SHA1 | 3765dfa792f3f66c5c061c5fd930a690f9fd3965 |
| SHA256 | 31b7b6e15ebbc483b7b5df24754c925e34b3d6dc2b1a24d100f2a315a407fa64 |
| SHA512 | 10d7c388e9f544369e145414372d3ae62ef30c3bca27f77216b1961eaca0bcd8ad4531d3a07e6180dc5afcd7302e5e62e2d8e925b701b495bcf1b72d06e0ab9e |
C:\Users\Admin\AppData\Local\Temp\7A3C.exe
| MD5 | 51aa2ee477e0d873898ad3d8e4d5d235 |
| SHA1 | 3765dfa792f3f66c5c061c5fd930a690f9fd3965 |
| SHA256 | 31b7b6e15ebbc483b7b5df24754c925e34b3d6dc2b1a24d100f2a315a407fa64 |
| SHA512 | 10d7c388e9f544369e145414372d3ae62ef30c3bca27f77216b1961eaca0bcd8ad4531d3a07e6180dc5afcd7302e5e62e2d8e925b701b495bcf1b72d06e0ab9e |
C:\Users\Admin\AppData\Local\Temp\7B18.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\7B18.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\7BE4.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\7CA0.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\7CA0.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\7D1E.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\7D1E.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\7DAC.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\7DAC.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
| MD5 | a575a6103ddff4aa59de9199c0bf420c |
| SHA1 | 52cb4ae7f9e8bc0236d17b26cd48c0f04b5a6318 |
| SHA256 | faece869796f484113b60e476df7b153e376ceffc522c50bcbf34d6fc27fedfa |
| SHA512 | 060317e7349c77802a512bd3dab66e532b53ac6a61f6a5752b6b6a3263176c97b72ff9a68e1b0f255d72f2019c8f716a12885948f917fdd3e320ad10db37470d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tj3HU1US.exe
| MD5 | a575a6103ddff4aa59de9199c0bf420c |
| SHA1 | 52cb4ae7f9e8bc0236d17b26cd48c0f04b5a6318 |
| SHA256 | faece869796f484113b60e476df7b153e376ceffc522c50bcbf34d6fc27fedfa |
| SHA512 | 060317e7349c77802a512bd3dab66e532b53ac6a61f6a5752b6b6a3263176c97b72ff9a68e1b0f255d72f2019c8f716a12885948f917fdd3e320ad10db37470d |
C:\Users\Admin\AppData\Local\Temp\7EB7.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Ni67nV.exe
| MD5 | 92c39aa3a62bd0435aee9f1eb11eaa70 |
| SHA1 | c1131234a1c5bced1af918b43615a0b915b00604 |
| SHA256 | 7db6a6275dbae7e5d253ddec7ac62fb5dcfecfe222110e1ca9ad0a4741da41b7 |
| SHA512 | e89d77233654792d4313803d325bd48f8f42d6785cc5dc5a52977245127240ea94e91d039a50c5752a66cdcdff6671c17bb53b1c536405a60b18f48f522eb983 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
| MD5 | 752105de893af01e5f40d0c709285c26 |
| SHA1 | 9487f9a62a77a909ecdbad72e3d012ad420a5131 |
| SHA256 | 1b73f830a421b4eff5f8809ca09e67bcd8aa6a9029558a71e117a34d01f20e1d |
| SHA512 | 6cdaf41eca636d622f830a8eb3aa2999ff4b4375e791770bc817a2c27be3a7d28a6648b0854cb7036b8d80a10c747a8bdff03a8f85ab18912fd98b546693d3ab |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RW4rc9EV.exe
| MD5 | 752105de893af01e5f40d0c709285c26 |
| SHA1 | 9487f9a62a77a909ecdbad72e3d012ad420a5131 |
| SHA256 | 1b73f830a421b4eff5f8809ca09e67bcd8aa6a9029558a71e117a34d01f20e1d |
| SHA512 | 6cdaf41eca636d622f830a8eb3aa2999ff4b4375e791770bc817a2c27be3a7d28a6648b0854cb7036b8d80a10c747a8bdff03a8f85ab18912fd98b546693d3ab |
memory/1616-58-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
| MD5 | 92de26740069f81106362622a80b93a8 |
| SHA1 | 4d8d4d16493127101391087f54c8f8da82752bd7 |
| SHA256 | 1fc361128af0d065ab26fb030d1c307f5dcb246c0985385e54d6d1251247ea0e |
| SHA512 | 1dc6ca873b8c95af3c4eac7a24071143acaabd96e2b714708c58e64e9f9c3757f6c41a5b4c51bc85af2762eec8dcc1265942bd48b1f77ba0a49c762541807f88 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CM2XZ5rM.exe
| MD5 | 92de26740069f81106362622a80b93a8 |
| SHA1 | 4d8d4d16493127101391087f54c8f8da82752bd7 |
| SHA256 | 1fc361128af0d065ab26fb030d1c307f5dcb246c0985385e54d6d1251247ea0e |
| SHA512 | 1dc6ca873b8c95af3c4eac7a24071143acaabd96e2b714708c58e64e9f9c3757f6c41a5b4c51bc85af2762eec8dcc1265942bd48b1f77ba0a49c762541807f88 |
memory/4436-64-0x0000000000870000-0x00000000008AE000-memory.dmp
memory/4436-65-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
| MD5 | e22b53a9d4cac32e013db2ad4c2cabe9 |
| SHA1 | 61784d3548b7a6d25fe21013c42ca5865da07600 |
| SHA256 | 903f03856cf7f33ee1271b150872f821019e1ada20cca7b4332f36ef50d40937 |
| SHA512 | 196624c9af74afc66d7b0669c570bea3d9564a950ea65e8446b1e61f9d1a2d560400b47c620af9f560dc5eefb276deb17b1419780106a9302402038680234c2e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gi9EF8It.exe
| MD5 | e22b53a9d4cac32e013db2ad4c2cabe9 |
| SHA1 | 61784d3548b7a6d25fe21013c42ca5865da07600 |
| SHA256 | 903f03856cf7f33ee1271b150872f821019e1ada20cca7b4332f36ef50d40937 |
| SHA512 | 196624c9af74afc66d7b0669c570bea3d9564a950ea65e8446b1e61f9d1a2d560400b47c620af9f560dc5eefb276deb17b1419780106a9302402038680234c2e |
memory/4436-77-0x0000000007C30000-0x00000000081D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
| MD5 | bb3f34f88d98cc48c72231cd89c6edd2 |
| SHA1 | 4d2b68d076bd4832b4db63f851a8f4c226a93b3a |
| SHA256 | 57ef40ca8694fe3c5f7e54b0d31930b286a35a310bae044dc2b9a48bc91ffb3c |
| SHA512 | 6015b7a900d50d63d4aa850f88a180850d7f55d6956b605f93bc2e5fbc61efa451b60b2ac6e77dac88c046115e25ed19a242f5a4af27fb5d942d11a5b4e660f1 |
memory/224-87-0x0000000000550000-0x00000000005AA000-memory.dmp
memory/224-86-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JL56KD9.exe
| MD5 | bb3f34f88d98cc48c72231cd89c6edd2 |
| SHA1 | 4d2b68d076bd4832b4db63f851a8f4c226a93b3a |
| SHA256 | 57ef40ca8694fe3c5f7e54b0d31930b286a35a310bae044dc2b9a48bc91ffb3c |
| SHA512 | 6015b7a900d50d63d4aa850f88a180850d7f55d6956b605f93bc2e5fbc61efa451b60b2ac6e77dac88c046115e25ed19a242f5a4af27fb5d942d11a5b4e660f1 |
memory/4436-80-0x0000000007760000-0x00000000077F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EB7.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
memory/1616-57-0x00000000007E0000-0x00000000007EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4436-94-0x0000000007740000-0x0000000007750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/224-96-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EB7.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\7EB7.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
memory/4436-95-0x00000000078F0000-0x00000000078FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Temp\9879.exe
| MD5 | dd879217d6270ce10527c1f4752e2602 |
| SHA1 | 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d |
| SHA256 | a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b |
| SHA512 | 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d |
C:\Users\Admin\AppData\Local\Temp\9879.exe
| MD5 | dd879217d6270ce10527c1f4752e2602 |
| SHA1 | 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d |
| SHA256 | a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b |
| SHA512 | 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d |
memory/4436-113-0x0000000008800000-0x0000000008E18000-memory.dmp
memory/732-114-0x0000000000590000-0x0000000000F76000-memory.dmp
memory/732-116-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9A9D.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\9A9D.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\9CA2.exe
| MD5 | 8e4c82c39fdb3c524a81f62ded2d6c2e |
| SHA1 | bde413f720af010f5c9d8f745d79be00c0fd3c1e |
| SHA256 | be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7 |
| SHA512 | c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2 |
memory/4436-122-0x0000000007A90000-0x0000000007B9A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/4436-129-0x00000000079C0000-0x00000000079D2000-memory.dmp
memory/4436-136-0x0000000007A20000-0x0000000007A5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CA2.exe
| MD5 | 8e4c82c39fdb3c524a81f62ded2d6c2e |
| SHA1 | bde413f720af010f5c9d8f745d79be00c0fd3c1e |
| SHA256 | be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7 |
| SHA512 | c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2 |
memory/4436-142-0x0000000007BA0000-0x0000000007BEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A463.exe
| MD5 | e2ff8a34d2fcc417c41c822e4f3ea271 |
| SHA1 | 926eaf9dd645e164e9f06ddcba567568b3b8bb1b |
| SHA256 | 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0 |
| SHA512 | 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2 |
C:\Users\Admin\AppData\Local\Temp\A463.exe
| MD5 | e2ff8a34d2fcc417c41c822e4f3ea271 |
| SHA1 | 926eaf9dd645e164e9f06ddcba567568b3b8bb1b |
| SHA256 | 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0 |
| SHA512 | 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
memory/1616-183-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/1644-184-0x0000000000480000-0x00000000004DA000-memory.dmp
memory/1108-182-0x0000000000940000-0x0000000000D20000-memory.dmp
\??\pipe\LOCAL\crashpad_4288_NQVLCIDRPDZHPLLK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4436-186-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e115307b1d17b5a132cda2218aa01e21 |
| SHA1 | d987916ba18c082713accab2dc0b18e4c4e0f8d0 |
| SHA256 | 235d37039b457af93ae394dd0a2e7331b45475d169fdaf5733a2346ac4f52094 |
| SHA512 | 6c6acbda31c5069c5a2ccc167aff4d3fe796b487303774b1c51b4dff60ee430690d7dbd9cc066d4a564f6cec62df3341964109df4a9829b5d6382b17eb6eddf8 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
memory/1108-191-0x0000000005580000-0x000000000561C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/1644-204-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/1644-208-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/1108-195-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
memory/1616-216-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/3740-218-0x0000000000200000-0x0000000000208000-memory.dmp
memory/224-215-0x0000000000400000-0x000000000047E000-memory.dmp
memory/224-226-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a23592ccfed3b1027654794492695c55 |
| SHA1 | 08cf19c9912adfcccd0ae419497f676dbee7c4df |
| SHA256 | ec1bc9b9e819edd941f7f32c84f5da431c619b8b57f9265f04d3b598e3dd20ff |
| SHA512 | 0d79d279744d49fd8807da0760a72a860f9e489cd15cd568a7868d0182ffb1f3960e794c9e17ee26687a2e249cc29dd4c129da3e4f0792e7a640f5a1c27bf595 |
memory/3740-234-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp
memory/4436-237-0x0000000007740000-0x0000000007750000-memory.dmp
memory/1644-236-0x00000000076C0000-0x00000000076D0000-memory.dmp
memory/732-235-0x00000000733C0000-0x0000000073B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8933d4a1c1677538dba09da78c2b5b08 |
| SHA1 | 4b85d0fb6218d638f33b172feb0af377a5868f6f |
| SHA256 | a8ef4aeabca78b226da5e9b57a8758e1ae04e3ef01274b8f6d61efa2fece7cd1 |
| SHA512 | 70c07949b59d7850fa0f5a469e0cdacdaf63870440d5bcf850ea5045a9e78d55e3480e24c9e59509a20b24e8e6fa60fbb99f6ed0dd9f08e5674e673a7c9bb15c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a23592ccfed3b1027654794492695c55 |
| SHA1 | 08cf19c9912adfcccd0ae419497f676dbee7c4df |
| SHA256 | ec1bc9b9e819edd941f7f32c84f5da431c619b8b57f9265f04d3b598e3dd20ff |
| SHA512 | 0d79d279744d49fd8807da0760a72a860f9e489cd15cd568a7868d0182ffb1f3960e794c9e17ee26687a2e249cc29dd4c129da3e4f0792e7a640f5a1c27bf595 |
\??\pipe\LOCAL\crashpad_3424_DADOIVFERKEBRADR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f5b242b56518d933dd46374d305bcb7c |
| SHA1 | 2d148a510db30dc2cf62d75324fe5280579e5196 |
| SHA256 | ab2de90fc44682b479545ff5d00c81b164c3e673dce59f86cde412861638e587 |
| SHA512 | c8efca6063b476bef0f8b99c21da16559059a6fae750ec5deed1e1481a82aeee3bfc10f003d2f342093bd9d17bfe3620634520b98c3d26c629e8a35d352c5ffb |
memory/1644-275-0x0000000008110000-0x0000000008176000-memory.dmp
memory/1108-281-0x0000000002F50000-0x0000000002F5A000-memory.dmp
memory/1108-282-0x0000000002F70000-0x0000000002F78000-memory.dmp
memory/1108-286-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/1752-292-0x00007FF69DBD0000-0x00007FF69E171000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | b81b2eb3482efa33317c20415beaf6a4 |
| SHA1 | 34711c1bad47eb6b94c242473de396eb9362543e |
| SHA256 | 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc |
| SHA512 | e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b |
memory/1108-299-0x00000000056C0000-0x0000000005852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | b81b2eb3482efa33317c20415beaf6a4 |
| SHA1 | 34711c1bad47eb6b94c242473de396eb9362543e |
| SHA256 | 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc |
| SHA512 | e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 3a748249c8b0e04e77ad0d6723e564ff |
| SHA1 | 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729 |
| SHA256 | f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed |
| SHA512 | 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2 |
memory/1108-320-0x0000000003020000-0x0000000003030000-memory.dmp
memory/5636-319-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1108-317-0x0000000005660000-0x0000000005670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | b81b2eb3482efa33317c20415beaf6a4 |
| SHA1 | 34711c1bad47eb6b94c242473de396eb9362543e |
| SHA256 | 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc |
| SHA512 | e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1108-323-0x0000000003020000-0x0000000003030000-memory.dmp
memory/1108-324-0x0000000003020000-0x0000000003030000-memory.dmp
memory/5636-332-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1108-331-0x0000000003020000-0x0000000003030000-memory.dmp
memory/1108-334-0x0000000005EB0000-0x0000000005FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp
| MD5 | e416b5593ef10377e8edc748ca6f2527 |
| SHA1 | d06fb79becff1bedd80f1b861449c8665af9aa67 |
| SHA256 | a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0 |
| SHA512 | 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c |
memory/3740-330-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp
memory/1108-326-0x0000000003020000-0x0000000003030000-memory.dmp
memory/5840-339-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SJ2US.tmp\LzmwAqmV.tmp
| MD5 | e416b5593ef10377e8edc748ca6f2527 |
| SHA1 | d06fb79becff1bedd80f1b861449c8665af9aa67 |
| SHA256 | a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0 |
| SHA512 | 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c |
memory/1644-338-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/1108-341-0x0000000003020000-0x0000000003030000-memory.dmp
memory/1108-344-0x0000000005EB0000-0x0000000005FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5I9HH.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/1108-364-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/5832-365-0x0000000000610000-0x0000000000611000-memory.dmp
memory/5984-369-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4364-372-0x00000000008D0000-0x00000000008D9000-memory.dmp
memory/6068-379-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/5984-377-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4364-370-0x0000000000A70000-0x0000000000B70000-memory.dmp
memory/1644-368-0x00000000076C0000-0x00000000076D0000-memory.dmp
memory/5984-367-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5984-363-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1644-381-0x00000000089F0000-0x0000000008A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lj998Dz.exe
| MD5 | 2034573ee4fec5a6f977653d54b9376e |
| SHA1 | 75ea9485c6946298540fd7e9f7b83bb74fc49f0b |
| SHA256 | 389db89bde2b96b54bbaba005153bf4512c4e1e63fefa360dc757af26c958561 |
| SHA512 | 76de72375be42485bb9a6a1a76a59059bbbeb33bf45797e64c254de3785f215a8d4620c8fd0da4a8ea12fe9e4d6129a5af18f2ebce3291317d1b2ed3a085623d |
memory/6068-383-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5840-362-0x0000000000400000-0x000000000041B000-memory.dmp
memory/6124-386-0x00000000733C0000-0x0000000073B70000-memory.dmp
memory/6124-385-0x0000000000D70000-0x0000000000DAE000-memory.dmp
memory/1108-361-0x0000000005EB0000-0x0000000005FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5I9HH.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-5I9HH.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/5840-343-0x0000000000400000-0x000000000041B000-memory.dmp
memory/6124-388-0x0000000007A80000-0x0000000007A90000-memory.dmp
memory/1644-413-0x0000000008AB0000-0x0000000008ACE000-memory.dmp
memory/1040-414-0x00000000028B0000-0x0000000002CAF000-memory.dmp
C:\ProgramData\CoreArchive\CoreArchive.exe
| MD5 | 46e6bb577ceb65806ef24e900abf04a0 |
| SHA1 | 947f8ac53bbc779a51a48f5e7d9634720105b689 |
| SHA256 | b9763b0e13159d7ddedcd2ae757e9557a6f1d8081b2646ae4d9bebe845f9c451 |
| SHA512 | be03e8f7f4e2759022e0bbbf02c93fe4343f2f603c83b8e46e8387371de6a0d38221ea37b480f3e2135af3077e96f8c515b04d99aa4cd215e8db32c467513e4b |
memory/4240-437-0x0000000000400000-0x0000000000636000-memory.dmp
memory/4240-440-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7b820bf35ead1603b44e8104f79531e2 |
| SHA1 | bceaf499a182959ca085ecc921c06565b1bf24ef |
| SHA256 | 2a9935ebfd17356eabc31282e827cbff1a0a7698bb525c3b57146f3a9d9072a4 |
| SHA512 | fa48818410c9769eb9edd0b181725f4f303066464bca5c099241f28940b7e63a1374cf862a31cc48e79f174237640ea5421014d62012813a6d19f79f22c0e46a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | da6c8a1e41148106a00a89a5bb238727 |
| SHA1 | 6a8ff3294d1f378acd2dd8620ca9b6351e6cc6cb |
| SHA256 | e4ca448ce9f43d705c6089dceae0854b331faf2dd4d0f576d6803016e4ebd529 |
| SHA512 | 6cae6b09243519a25b7decabc021fb41a0c8808aa45c9241c4d6e02f88038b561de3daa55671f296dd1219c892a447a4bc023183d0a87d12c9e4e00c9496835d |
memory/6068-465-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3232-464-0x0000000002E90000-0x0000000002EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b72464531eda9c139d7fee6ceae9adf9 |
| SHA1 | 6c5675d501cda6b8babb4940912ca733b17ee029 |
| SHA256 | e253d634c94a9799873b940cfbda6d8e34ff755b7f1e1d57001928fc6dfa69b8 |
| SHA512 | 91e76ac3c76e4ef75ec64f4ab1921b9dc92ae3607f64b2835370af7613eee4a8079c2db2cf824110960620a4b490144db739ec4745bd9c5c649fece12dd183f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590a85.TMP
| MD5 | 9c8ec2f921d5bd42f708ba8182f7a3c6 |
| SHA1 | 84d0ea6be233041fb712d00ccf616c847f5eb064 |
| SHA256 | ae7788f9a0bc9b63d1e5ae795274401ab8f96e262d91b3e9db5955e5c9aeffe3 |
| SHA512 | 55f97a54090a0366ffec54ceb4ff466db4d5bf15479091f08101a8b0eb2c7190c30452a9d0d9f847dec93e49c473cb7e2cc691b36cb9588d873dff411c6c5703 |
memory/5832-480-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/1040-488-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5560-494-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d1429f96f1ff1204b4308c23639091b2 |
| SHA1 | 37fb6501dc5730f3f17711e04ead78822656c3ee |
| SHA256 | df60b49ca841421f12e0d6d5e2996264c9081ae1b15753e38afcbb4788b5d79c |
| SHA512 | 76714f3fcd06a5cd38f136fe4675add150fde8e457066b89ce5a5b3a37dda425a1a57e462e0f35cf7aaf23e14cf66f213d2fe8298797928bd130643f89732836 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obigk44l.5fw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1040-574-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1752-597-0x00007FF69DBD0000-0x00007FF69E171000-memory.dmp
memory/5560-598-0x0000000000400000-0x0000000000636000-memory.dmp
memory/1752-625-0x00007FF69DBD0000-0x00007FF69E171000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/1040-678-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5792-680-0x00007FF73E110000-0x00007FF73E476000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1fc73ad88c9785885e8ad31970410530 |
| SHA1 | 93b7411fb87350f88ada75a418a9920cc20f8474 |
| SHA256 | 7d0c0f0aa1f7dfb077bd801d96a0c20c512c7930e55366426d7705e9df428314 |
| SHA512 | 6406ccb9f6f69df1e074be4159a10bca9161f2e0c942493a08970cd69aa8d7045fe3b4a150ca65ecf94bbd11f39e93582b0724a79ce9e812210b577c93360250 |
memory/5560-705-0x0000000000400000-0x0000000000636000-memory.dmp
memory/5240-723-0x00007FF672DD0000-0x00007FF673371000-memory.dmp
memory/2264-731-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5792-770-0x00007FF73E110000-0x00007FF73E476000-memory.dmp
memory/5560-771-0x0000000000400000-0x0000000000636000-memory.dmp
memory/4252-789-0x0000000001300000-0x000000000133E000-memory.dmp
memory/5792-790-0x00007FF73E110000-0x00007FF73E476000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8019fc8342dc094aa41282bcd123608a |
| SHA1 | 27f281826f59236f197a2b0ddbb2bfdf6935834a |
| SHA256 | fdb0443c2c98899fd17edc7c49d51c32c0c2f9cdff74ddb02a5a4f7a056d970e |
| SHA512 | 38a80f5c8133333ba925e12cc8d765c9605558eb33784d14be0179034b1813378026734eccd5a41b898fce77e9244fe899b4c54761986044d3cb0fbf020a6494 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ffa3ab3faa9a9fae197ffe5544385ebc |
| SHA1 | 1013c2dfe753e27336dcf4075e5acf9eaef6aa14 |
| SHA256 | be743bb55c8da8afb5f33a5548927676a4021ca2204824ec0392900fa4dfa025 |
| SHA512 | ece91a770d7b1b6a5c50d37d30f2b6c085ccaf050c03b8f528656df8d26c43ecde367806e9e7b41cb93ea03a6178a7127be5e2b07a5dfbc2a9ae500a0c9379e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 375f40e3d49f36af58d0b93428cbc6f1 |
| SHA1 | 62dc9bdc78242ea43d84befafe1e612a43a67d25 |
| SHA256 | 6bc5df748b6a2838c11ba9f17f5285c13165a1f1260bae7f3c7554d69d0d0e33 |
| SHA512 | b440617ce61e379aa6e9ae6ea5638a033f5c38a4c01b52d7350cae1c61dee1d4694b6acc1efc417c322692041bd7fe6334ee8eab9bc6293b53a3974bbe15ea47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 11eb18e44c2d2329b6a505f98ca56323 |
| SHA1 | 59159fa1f86b42dbf8a2b034f246d2ddbf102b2a |
| SHA256 | 5f21029f3fa416416fc29b26d4b152b51dd042285df8fd3fa06b0ab356b9fa2c |
| SHA512 | 3f520dbaf020cb2c712bed311eca5a3da5980ccc4d48eae2f2edcc115a76d33e4e72fb481ead468cce16b44a078a981a11af2dfde55c3b3795e63eefab664c77 |