Analysis Overview
SHA256
d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31
Threat Level: Known bad
The file d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31 was found to be: Known bad.
Malicious Activity Summary
DcRat
Glupteba
SmokeLoader
Glupteba payload
Raccoon Stealer payload
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender Real-time Protection settings
Amadey
RedLine payload
Detect ZGRat V1
ZGRat
RedLine
Drops file in Drivers directory
Stops running service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Checks computer location settings
UPX packed file
Windows security modification
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Manipulates WinMonFS driver.
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 07:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 07:55
Reported
2023-10-26 07:57
Platform
win10v2004-20231023-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\229D.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\261A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\261A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\av8tT7AK.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\EF32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\2425.exe'\"" | C:\Users\Admin\AppData\Local\Temp\2425.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iY9AY6Py.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Drive Tools\is-K2VNH.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-6DQAU.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-OMC5B.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-85IJH.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-VGR49.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-BTT3J.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-LR0FV.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-29O5R.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\zDriveTools.exe | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-D5I1Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-K4R5J.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-43D2J.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-VFR1V.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-30O5P.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-0O9RL.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-OF3QI.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-7GE68.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-SS2EV.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-EEE03.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\Lang\is-M1CT9.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-IQVGU.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-UKKH7.tmp | C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\F718.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F3AB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe
"C:\Users\Admin\AppData\Local\Temp\d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BE68Fe2.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BE68Fe2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zC1424.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zC1424.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Bm839RL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Bm839RL.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Hd3KS7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Hd3KS7.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BE4F.tmp\BE50.tmp\BE51.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2860 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13715077489350696047,2584934161393044779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13715077489350696047,2584934161393044779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17090615230723913346,18305231615301296474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\EF32.exe
C:\Users\Admin\AppData\Local\Temp\EF32.exe
C:\Users\Admin\AppData\Local\Temp\F00E.exe
C:\Users\Admin\AppData\Local\Temp\F00E.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iY9AY6Py.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iY9AY6Py.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F196.bat" "
C:\Users\Admin\AppData\Local\Temp\F2A0.exe
C:\Users\Admin\AppData\Local\Temp\F2A0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\av8tT7AK.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\av8tT7AK.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1og51cM3.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1og51cM3.exe
C:\Users\Admin\AppData\Local\Temp\F3AB.exe
C:\Users\Admin\AppData\Local\Temp\F3AB.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c4718
C:\Users\Admin\AppData\Local\Temp\F532.exe
C:\Users\Admin\AppData\Local\Temp\F532.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\F718.exe
C:\Users\Admin\AppData\Local\Temp\F718.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4472 -ip 4472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 784
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2vX306MS.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2vX306MS.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4832 -ip 4832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 540
C:\Users\Admin\AppData\Local\Temp\229D.exe
C:\Users\Admin\AppData\Local\Temp\229D.exe
C:\Users\Admin\AppData\Local\Temp\2425.exe
C:\Users\Admin\AppData\Local\Temp\2425.exe
C:\Users\Admin\AppData\Local\Temp\261A.exe
C:\Users\Admin\AppData\Local\Temp\261A.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1944 -ip 1944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 784
C:\Users\Admin\AppData\Local\Temp\3657.exe
C:\Users\Admin\AppData\Local\Temp\3657.exe
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp" /SL5="$F011A,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 856 -ip 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 572
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\7640.exe
C:\Users\Admin\AppData\Local\Temp\7640.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.251.36.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 157.240.5.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| US | 157.240.5.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 35.5.240.157.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 98.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| FI | 77.91.124.71:4341 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.96.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| NL | 194.169.175.235:42691 | tcp | |
| US | 8.8.8.8:53 | 235.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f9e15f5a-8a11-4358-ade7-a6268c0dc29b.uuid.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| NL | 142.250.179.170:443 | jnn-pa.googleapis.com | tcp |
| NL | 142.250.179.170:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 170.179.250.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 8.8.8.8:53 | server11.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.104:443 | server11.datadumpcloud.org | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 142.251.36.6:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 6.36.251.142.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | server11.datadumpcloud.org | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 74.125.204.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | 127.204.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| FR | 212.47.253.124:14433 | xmr-eu1.nanopool.org | tcp |
| N/A | 127.0.0.1:3478 | udp | |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 142.250.179.162:443 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exe
| MD5 | 8f88b9ad216e9af2b73c6d365387cc0f |
| SHA1 | 87b6087b2088ae50bf33eb523ab5d9354d42a0b5 |
| SHA256 | bdd553da63441ada50b1831351a56dcf2ac9d9de2201503227986b70339b1b1f |
| SHA512 | ab51cd6be3c7911962f4a653abe0ce2492a3206e991cc11a535d6f488f0330c8aeb0d7f0b0a32960b71c218675caa305a2ff7fa5add69ba9082b2a755c004ff4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exe
| MD5 | 8f88b9ad216e9af2b73c6d365387cc0f |
| SHA1 | 87b6087b2088ae50bf33eb523ab5d9354d42a0b5 |
| SHA256 | bdd553da63441ada50b1831351a56dcf2ac9d9de2201503227986b70339b1b1f |
| SHA512 | ab51cd6be3c7911962f4a653abe0ce2492a3206e991cc11a535d6f488f0330c8aeb0d7f0b0a32960b71c218675caa305a2ff7fa5add69ba9082b2a755c004ff4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exe
| MD5 | aa30e8f201fca906330ac95b16db9d1d |
| SHA1 | 7d3bd317ac3ad8aa49911f6eb56885156b6d187b |
| SHA256 | 6044344b537f8cebfd1b72ec49347da51216bcc79b036a22268a3255dbf43551 |
| SHA512 | b5cd407388cbfd943e2ff551374eb46cf184715f437f2a921a35dee90b58363b3d235addf1acd06df9caf0bb6d51a9146a6485d288d33ec18faf68078ce0a073 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exe
| MD5 | aa30e8f201fca906330ac95b16db9d1d |
| SHA1 | 7d3bd317ac3ad8aa49911f6eb56885156b6d187b |
| SHA256 | 6044344b537f8cebfd1b72ec49347da51216bcc79b036a22268a3255dbf43551 |
| SHA512 | b5cd407388cbfd943e2ff551374eb46cf184715f437f2a921a35dee90b58363b3d235addf1acd06df9caf0bb6d51a9146a6485d288d33ec18faf68078ce0a073 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exe
| MD5 | 30fc469dd45d40ca0d29d259fa0c0159 |
| SHA1 | dbffc5c94d1da65354ec4d654bf667d827599e34 |
| SHA256 | 9f79268a626156a3f2694256c6119826d3a458464f24ec96ea80e3e65bc8f66c |
| SHA512 | 3439a0e75bb6836078975d9cbf8183e118387b85812f2bb21d99c9907fe3d99da67c9a13e730f8f81402c3db8a411ae2845e1d8cbbe7907c096c560f7757a4ea |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exe
| MD5 | 30fc469dd45d40ca0d29d259fa0c0159 |
| SHA1 | dbffc5c94d1da65354ec4d654bf667d827599e34 |
| SHA256 | 9f79268a626156a3f2694256c6119826d3a458464f24ec96ea80e3e65bc8f66c |
| SHA512 | 3439a0e75bb6836078975d9cbf8183e118387b85812f2bb21d99c9907fe3d99da67c9a13e730f8f81402c3db8a411ae2845e1d8cbbe7907c096c560f7757a4ea |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exe
| MD5 | 96c220267dc0b78b3a61fd8acdbf3fca |
| SHA1 | 2eceae7e1d285b3ba8e4e081909ff46a02a8c65f |
| SHA256 | b509c1818229047820ba0fc63cc3e50f44c1b9faf28b2b738e5623b29ef20976 |
| SHA512 | 2985be5262e9a6c9442ad679796de3aeffd93984307e8e21cf0f2d53033e15152fadaf4f7c881d1554d6e82bedef1ed6f94c6cb79eea8d7c3f94103e1da9eadd |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exe
| MD5 | 96c220267dc0b78b3a61fd8acdbf3fca |
| SHA1 | 2eceae7e1d285b3ba8e4e081909ff46a02a8c65f |
| SHA256 | b509c1818229047820ba0fc63cc3e50f44c1b9faf28b2b738e5623b29ef20976 |
| SHA512 | 2985be5262e9a6c9442ad679796de3aeffd93984307e8e21cf0f2d53033e15152fadaf4f7c881d1554d6e82bedef1ed6f94c6cb79eea8d7c3f94103e1da9eadd |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exe
| MD5 | 1bd7033b7674a52b678ae4d427b8eb03 |
| SHA1 | 456c5e0b2275ad5068af7b63939dff5088667b5c |
| SHA256 | 089af742b58f5b944f52112a9739839fd4363226847d6bf36cb0e0b35186ca85 |
| SHA512 | 4ad1c2c91d757e6c1b09dae6cd981c4a303aa1db5e11bf6a28b5d76e2e837e7f6f9029048f390b09a0cb46400ea01717bf4f52cf138722b3b6a70680b88c4589 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exe
| MD5 | 1bd7033b7674a52b678ae4d427b8eb03 |
| SHA1 | 456c5e0b2275ad5068af7b63939dff5088667b5c |
| SHA256 | 089af742b58f5b944f52112a9739839fd4363226847d6bf36cb0e0b35186ca85 |
| SHA512 | 4ad1c2c91d757e6c1b09dae6cd981c4a303aa1db5e11bf6a28b5d76e2e837e7f6f9029048f390b09a0cb46400ea01717bf4f52cf138722b3b6a70680b88c4589 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BE68Fe2.exe
| MD5 | b51ed5854d8ad33ea7e298b8fdb51a0d |
| SHA1 | 6c04f760a2d34f702b550324317a8b7d3aad2e0d |
| SHA256 | 3de6f5ff268ffafd264e08db5e9cde208b6ea1789be6a3d912db365d59728e3c |
| SHA512 | 65da21e8b16d88445bdb457fb5ba6bef9dbd2f8e196e59eb1555b861359e734d11bb066a32ea36f8f79fc4441e598d1fbf128224b5aeab18178c93fcad347b72 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BE68Fe2.exe
| MD5 | b51ed5854d8ad33ea7e298b8fdb51a0d |
| SHA1 | 6c04f760a2d34f702b550324317a8b7d3aad2e0d |
| SHA256 | 3de6f5ff268ffafd264e08db5e9cde208b6ea1789be6a3d912db365d59728e3c |
| SHA512 | 65da21e8b16d88445bdb457fb5ba6bef9dbd2f8e196e59eb1555b861359e734d11bb066a32ea36f8f79fc4441e598d1fbf128224b5aeab18178c93fcad347b72 |
memory/2868-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zC1424.exe
| MD5 | edc6f7c21187ee0d35814961af64772a |
| SHA1 | b252ef94fd2627d409d51fac9c0348297eade277 |
| SHA256 | e79f4d993e90765e775ac638bc8b7648bf50f9d5bc5c2edd783065557ef66063 |
| SHA512 | 7dadd26f5d6f9ae0f38ebc719ce1b7168587d135d68bbee7b2788010928db6170b59697d2ec1aa70c926d6f9757eecc9eadedd6eb6b5719f972fb9586529d88c |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zC1424.exe
| MD5 | edc6f7c21187ee0d35814961af64772a |
| SHA1 | b252ef94fd2627d409d51fac9c0348297eade277 |
| SHA256 | e79f4d993e90765e775ac638bc8b7648bf50f9d5bc5c2edd783065557ef66063 |
| SHA512 | 7dadd26f5d6f9ae0f38ebc719ce1b7168587d135d68bbee7b2788010928db6170b59697d2ec1aa70c926d6f9757eecc9eadedd6eb6b5719f972fb9586529d88c |
memory/2868-46-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/4636-47-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4636-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4636-49-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4636-51-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe
| MD5 | c3bc6af2c19047d11d4663f56c02f211 |
| SHA1 | a500298076456ef934b7e955e6eb4cb46ec608fd |
| SHA256 | 25219b7ae08616d3e92aba258d04b427a586c71aea3017484aa95da5ab99307a |
| SHA512 | afe75d4745d3ead8243c85d6893b6713e3b42ec1472e3457a87072612a723e202e6cf62ab11ff9785f8e9e22c889716d97256be0ff7a8590377ab810d3158c3a |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe
| MD5 | c3bc6af2c19047d11d4663f56c02f211 |
| SHA1 | a500298076456ef934b7e955e6eb4cb46ec608fd |
| SHA256 | 25219b7ae08616d3e92aba258d04b427a586c71aea3017484aa95da5ab99307a |
| SHA512 | afe75d4745d3ead8243c85d6893b6713e3b42ec1472e3457a87072612a723e202e6cf62ab11ff9785f8e9e22c889716d97256be0ff7a8590377ab810d3158c3a |
memory/820-54-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3376-56-0x0000000002D50000-0x0000000002D66000-memory.dmp
memory/820-57-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Bm839RL.exe
| MD5 | 239e209a7b65b3292cf7f20ed90834e2 |
| SHA1 | f27d63c298e61865e2b67a836b04f3d9aaf22b91 |
| SHA256 | 78f862fd340d055e4dbce6de271a6eedf6deddec1f3a050fc4c4f012478a7242 |
| SHA512 | 5c1e59ffbcba5651dc04a965b41c803267b34fe6363c5706e1917dfe64d7588e7baff652ce4f7eb2673cd1f472802943572f1d85165cb52aa2e3d7e1b2c15b3e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Bm839RL.exe
| MD5 | 239e209a7b65b3292cf7f20ed90834e2 |
| SHA1 | f27d63c298e61865e2b67a836b04f3d9aaf22b91 |
| SHA256 | 78f862fd340d055e4dbce6de271a6eedf6deddec1f3a050fc4c4f012478a7242 |
| SHA512 | 5c1e59ffbcba5651dc04a965b41c803267b34fe6363c5706e1917dfe64d7588e7baff652ce4f7eb2673cd1f472802943572f1d85165cb52aa2e3d7e1b2c15b3e |
memory/2868-63-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/2868-65-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/1088-66-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exe
| MD5 | f9d733b19d1fa3c7d045fead6ed51af4 |
| SHA1 | 3bc069c3b07d54ff4306d889e64f43462e5715ac |
| SHA256 | 91580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2 |
| SHA512 | 9f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exe
| MD5 | f9d733b19d1fa3c7d045fead6ed51af4 |
| SHA1 | 3bc069c3b07d54ff4306d889e64f43462e5715ac |
| SHA256 | 91580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2 |
| SHA512 | 9f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | f9d733b19d1fa3c7d045fead6ed51af4 |
| SHA1 | 3bc069c3b07d54ff4306d889e64f43462e5715ac |
| SHA256 | 91580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2 |
| SHA512 | 9f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac |
memory/1088-73-0x0000000073C70000-0x0000000074420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1088-74-0x0000000008340000-0x00000000088E4000-memory.dmp
memory/1088-75-0x0000000007D90000-0x0000000007E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | f9d733b19d1fa3c7d045fead6ed51af4 |
| SHA1 | 3bc069c3b07d54ff4306d889e64f43462e5715ac |
| SHA256 | 91580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2 |
| SHA512 | 9f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | f9d733b19d1fa3c7d045fead6ed51af4 |
| SHA1 | 3bc069c3b07d54ff4306d889e64f43462e5715ac |
| SHA256 | 91580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2 |
| SHA512 | 9f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac |
memory/1088-83-0x0000000007ED0000-0x0000000007EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Hd3KS7.exe
| MD5 | 15d86de7c60a3f2e1cc1d379ad9c16f9 |
| SHA1 | 8c6190a1e0e4066a98d9e6050860a4fc7706b3df |
| SHA256 | 146c605d2c77703ae8f836b933e8faf5dc2125b19106438281ea3398d674a6a3 |
| SHA512 | f71c301ec85c102e2a1841e76e1dc3d4af1265b948ae683084bd78512e4503ccad9ead27ad58c8275912ee05549ee045d7a83d58776fbede0e505237c74cd695 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Hd3KS7.exe
| MD5 | 15d86de7c60a3f2e1cc1d379ad9c16f9 |
| SHA1 | 8c6190a1e0e4066a98d9e6050860a4fc7706b3df |
| SHA256 | 146c605d2c77703ae8f836b933e8faf5dc2125b19106438281ea3398d674a6a3 |
| SHA512 | f71c301ec85c102e2a1841e76e1dc3d4af1265b948ae683084bd78512e4503ccad9ead27ad58c8275912ee05549ee045d7a83d58776fbede0e505237c74cd695 |
memory/1088-87-0x0000000007E30000-0x0000000007E3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe
| MD5 | 1060131e19463461f5d0fa5510305d97 |
| SHA1 | 402ebd1d55fdb69487a7e8858356d816c6388269 |
| SHA256 | 9c468e2fc6aad99bc4a048eacc1438e12531cbe7513bee26a7f2dee16bd54c71 |
| SHA512 | 56425ed53bcb96075e53df380159375048bdddaee27070491ae33660b7b2bb9df05838e574d57632ab0d427349c23f510b3187b90409170dea6c4e2b6023583d |
memory/1088-90-0x0000000008F10000-0x0000000009528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe
| MD5 | 1060131e19463461f5d0fa5510305d97 |
| SHA1 | 402ebd1d55fdb69487a7e8858356d816c6388269 |
| SHA256 | 9c468e2fc6aad99bc4a048eacc1438e12531cbe7513bee26a7f2dee16bd54c71 |
| SHA512 | 56425ed53bcb96075e53df380159375048bdddaee27070491ae33660b7b2bb9df05838e574d57632ab0d427349c23f510b3187b90409170dea6c4e2b6023583d |
memory/1088-91-0x00000000080E0000-0x00000000081EA000-memory.dmp
memory/1088-93-0x0000000008000000-0x0000000008012000-memory.dmp
memory/1088-95-0x0000000008060000-0x000000000809C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BE4F.tmp\BE50.tmp\BE51.bat
| MD5 | 376a9f688d0224a448db8acbf154f0dc |
| SHA1 | 4b36f19dc23654c9333289c37e454fe09ea28ab5 |
| SHA256 | 7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a |
| SHA512 | a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b |
memory/1088-97-0x00000000081F0000-0x000000000823C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | df4fb359f7b2fa8af30bf98045c57c44 |
| SHA1 | 6d507359e1fd5be8f7c01fd4b291f81cf9561378 |
| SHA256 | 5ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc |
| SHA512 | 92195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
\??\pipe\LOCAL\crashpad_3748_XUNIWUYGBOQQZZLT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_4016_LRSBRTHTSOEUVHBX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 37a8962def9fe0fea069df8aadd37a83 |
| SHA1 | 1e61110f54b408e70b4b4adf40faeff3bc02e3ee |
| SHA256 | 42778867701cb2f86b0bfaea2e409127f250b7c7aa77762608f6463cf264eab2 |
| SHA512 | 9065353727d294b3b4904651ea0f5190b2b248b95173ce4ef1e2c4133ff63022b354acfa338cc69499862f081c90ce56600eacfd02f4c903f0f1077a334d417f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3317731087c670b2e83bbf4469afe617 |
| SHA1 | 26ed1b8e3a929ae793cc8813a3e5d851170104b8 |
| SHA256 | f2b8a6e4382b3bca5bd5e4daa83786e8bdce54eb0f69e134bece01e1c08fb6de |
| SHA512 | 2ec04a908dbf68814b55d859be930ec147e092eb911a3967a79af3d822e47a84ad2aedb8495c46497cfd6446debfcdd2bc3530394bec1549c21ff8eec6f225ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 84df16093540d8d88a327b849dd35f8c |
| SHA1 | c6207d32a8e44863142213697984de5e238ce644 |
| SHA256 | 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c |
| SHA512 | 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 37a8962def9fe0fea069df8aadd37a83 |
| SHA1 | 1e61110f54b408e70b4b4adf40faeff3bc02e3ee |
| SHA256 | 42778867701cb2f86b0bfaea2e409127f250b7c7aa77762608f6463cf264eab2 |
| SHA512 | 9065353727d294b3b4904651ea0f5190b2b248b95173ce4ef1e2c4133ff63022b354acfa338cc69499862f081c90ce56600eacfd02f4c903f0f1077a334d417f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2ec838a762fd238aa250b9af1575e8c0 |
| SHA1 | eba70e984523a9dce2b1f1a59ed15160b15d0762 |
| SHA256 | 0c09af6bc7aeb44c2aec44b295c724064324acdee66db9471688952f75f6ea39 |
| SHA512 | ba965de34f2a0a6b055acf4b0f07f6fdf95f41e28d1e23bdb07cf2d0f8590f491fa4007a480af91d64c8a4d57a50d7884bb1b291bf341bb96e85053d6a75b5f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2ec838a762fd238aa250b9af1575e8c0 |
| SHA1 | eba70e984523a9dce2b1f1a59ed15160b15d0762 |
| SHA256 | 0c09af6bc7aeb44c2aec44b295c724064324acdee66db9471688952f75f6ea39 |
| SHA512 | ba965de34f2a0a6b055acf4b0f07f6fdf95f41e28d1e23bdb07cf2d0f8590f491fa4007a480af91d64c8a4d57a50d7884bb1b291bf341bb96e85053d6a75b5f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/1088-284-0x0000000073C70000-0x0000000074420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | f46787797bc3005eb90ca58e39f08c91 |
| SHA1 | 8a413b882d700e6e2194d412400e262140eaff9c |
| SHA256 | e925e2710841c40d3ec018eae67856af845355e66fdebdcb362a4ddabcef5af1 |
| SHA512 | 33f7146f8d59b4e8dec8be9b0d0ca377f9b6f88681ca755ea2d6e22aa62dcbf162678f6ba73509a670c398c8a5aeb06ca32764573bd8a9b5f8a16b1d48b9eac8 |
memory/1088-300-0x0000000007ED0000-0x0000000007EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 37a8962def9fe0fea069df8aadd37a83 |
| SHA1 | 1e61110f54b408e70b4b4adf40faeff3bc02e3ee |
| SHA256 | 42778867701cb2f86b0bfaea2e409127f250b7c7aa77762608f6463cf264eab2 |
| SHA512 | 9065353727d294b3b4904651ea0f5190b2b248b95173ce4ef1e2c4133ff63022b354acfa338cc69499862f081c90ce56600eacfd02f4c903f0f1077a334d417f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1f8ceb92affda17a56c2e81cf200adb3 |
| SHA1 | 53efc6c8a59dac27d2e2fdde77d89700123b4e77 |
| SHA256 | a8d0c902e42dfc2808b99ab91336b59d24795408d88b146edb245d69ce9ee260 |
| SHA512 | 433a3273f6418bfb8d4208783237afb7576d468c5d7642361195d24938e7a42ac5c89fb8018c4baba3402db456fd52042a82292cb9d997d4edcfe257f73e43fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | f6f0b45177069cacdddcce16e71bd898 |
| SHA1 | 1edb9a902ab4b58f48fa8de317ba620371ac1737 |
| SHA256 | c9b7e695cee9a5582fa15b098dede8d438160ea577a01b0cfcd35c10b1ce02f2 |
| SHA512 | 38f5f55bc36e3d4b7e25fcf8f00efb6dc6608c0431f64a5aef75c12f1c1c44ed022f824151fbf1663bdcf2451398ecd3b7e0e6df11845422852ddb957e5b8ff5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | f39998eecfe3ef47ac5ff4df2f1742eb |
| SHA1 | 44ca6bf7ca78cf96a38710e2b33431316320950d |
| SHA256 | 8200d139a44ed7a89651c83e0a25c99911ea9363e6d206e94ebe500cf826c8eb |
| SHA512 | b6f10515c7f44c743a64a4c3a54b1ec9ec12dd8c6013091863bc1f50f0cab65c48d4b74143a2a3fe74bd2d8183644fcc9b750395e15f62cfa6e7042485c20001 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5ed1db23490cce9be3985f007d388ff7 |
| SHA1 | 91734c6f5373160e55cc7578245bcb4d1ff49559 |
| SHA256 | 704627bc26ee813bef8708956f7dd1f28e58b4d128ab43f34e52d24c7c40207d |
| SHA512 | 6924308e714005078bddac134fe2930238e7c1486326064eba1ad96626d2d64bc4d24aab61337c9d8b5c0fcbbf476ddbe5938d5a5d6c4076ccbd17a37e2fcfb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 918ecd7940dcab6b9f4b8bdd4d3772b2 |
| SHA1 | 7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4 |
| SHA256 | 3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175 |
| SHA512 | c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2 |
\??\pipe\LOCAL\crashpad_2916_LDGCHPARTXDXFKVW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\EF32.exe
| MD5 | 56dbeb16231126799330a7757399e5ae |
| SHA1 | ff3b170a83a8b745423292ac62dc77d8a0a10efe |
| SHA256 | cca5f0490726143a1f62dcc3fd724624fe6f819e1e6d2c106849f34a24618895 |
| SHA512 | 045b4b8b4abee9a63d37e06859a955357b3ea320bf381f57927652ccae9ce8f49501c5a117e855173c2f1443ac52e52fc5427855a255207bdfd685559215344c |
C:\Users\Admin\AppData\Local\Temp\EF32.exe
| MD5 | 56dbeb16231126799330a7757399e5ae |
| SHA1 | ff3b170a83a8b745423292ac62dc77d8a0a10efe |
| SHA256 | cca5f0490726143a1f62dcc3fd724624fe6f819e1e6d2c106849f34a24618895 |
| SHA512 | 045b4b8b4abee9a63d37e06859a955357b3ea320bf381f57927652ccae9ce8f49501c5a117e855173c2f1443ac52e52fc5427855a255207bdfd685559215344c |
C:\Users\Admin\AppData\Local\Temp\F00E.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6cB66Yp.exe
| MD5 | 2e3a7c525a4cf510bd09c42f07329da8 |
| SHA1 | 3e320521f5fb099962135f7453126060d4d0cd15 |
| SHA256 | 4ec51aacea2af6a561e0b21a56225daf95edad0b6f30ca2b4a31a794aa643899 |
| SHA512 | a56448647d44759abc651b908bbeb6382079051fb9a10f3e8166e4ad444b5190962a9a1c98a4c67b4e7bca61909588f1140fb69eb4d9a290d412262bba43ad72 |
C:\Users\Admin\AppData\Local\Temp\F00E.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exe
| MD5 | 031671d2815cbd715c8293ebd9bb74a6 |
| SHA1 | f3a488677f6935c508e4901842e30e26d7bee83f |
| SHA256 | 155d04d948f6c7c4f284b8feedb71fbbfce702d8932022563dfd262d947160ca |
| SHA512 | f9c7e1064e0476f81753142c9fa784459d2852136a3cbb2a69b1cff0759341e9391c4310cd1cdb38c8de235304a0946d42027f36a58050354e03933fa395afa2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exe
| MD5 | 031671d2815cbd715c8293ebd9bb74a6 |
| SHA1 | f3a488677f6935c508e4901842e30e26d7bee83f |
| SHA256 | 155d04d948f6c7c4f284b8feedb71fbbfce702d8932022563dfd262d947160ca |
| SHA512 | f9c7e1064e0476f81753142c9fa784459d2852136a3cbb2a69b1cff0759341e9391c4310cd1cdb38c8de235304a0946d42027f36a58050354e03933fa395afa2 |
C:\Users\Admin\AppData\Local\Temp\F00E.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 5de3907f20d322363cd78a1ee7a53a6f |
| SHA1 | 2b395f245420b552e0a80f9b0059cd9fd5162c9f |
| SHA256 | 44adf4d8f19e8b642e7a365c436eb5ec8ecb344786241a96fcf37b9728066192 |
| SHA512 | 6aacf7e5a3dd1b60cc3af6f4783c7a64d7d91e65df2a460d1f610646f60c564b797252e9aee6a221ebe4b076e13ab3ad591beeb3dab90ec437d5651e1f91f618 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exe
| MD5 | ca9ffac4fdcc2d4974863f7b8229a98d |
| SHA1 | 33dda52cc4aefa81240d4f1d1f13fcfb1a36dd9c |
| SHA256 | 03c43aeff4fcaa849f37634389302adce754532ba9bb8c900183f532c553c3d5 |
| SHA512 | 95a1b8e7850dc56dc036cf9e2340d1962fd4b05d4dbba67ef69da3608188c742f8f8e4c577a4bdaf9511d741f80623eba92aec8de0241925f16ef7be7b7bafe3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Yx607xa.exe
| MD5 | 239e209a7b65b3292cf7f20ed90834e2 |
| SHA1 | f27d63c298e61865e2b67a836b04f3d9aaf22b91 |
| SHA256 | 78f862fd340d055e4dbce6de271a6eedf6deddec1f3a050fc4c4f012478a7242 |
| SHA512 | 5c1e59ffbcba5651dc04a965b41c803267b34fe6363c5706e1917dfe64d7588e7baff652ce4f7eb2673cd1f472802943572f1d85165cb52aa2e3d7e1b2c15b3e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exe
| MD5 | ca9ffac4fdcc2d4974863f7b8229a98d |
| SHA1 | 33dda52cc4aefa81240d4f1d1f13fcfb1a36dd9c |
| SHA256 | 03c43aeff4fcaa849f37634389302adce754532ba9bb8c900183f532c553c3d5 |
| SHA512 | 95a1b8e7850dc56dc036cf9e2340d1962fd4b05d4dbba67ef69da3608188c742f8f8e4c577a4bdaf9511d741f80623eba92aec8de0241925f16ef7be7b7bafe3 |
memory/5500-432-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/5580-435-0x00000000001B0000-0x00000000001BA000-memory.dmp
memory/5580-436-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/5500-438-0x0000000006F00000-0x0000000006F10000-memory.dmp
memory/4472-518-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4472-523-0x0000000000480000-0x00000000004DA000-memory.dmp
memory/4472-527-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/4472-569-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4472-570-0x0000000073C70000-0x0000000074420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/4832-597-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4832-598-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4832-601-0x0000000000400000-0x0000000000434000-memory.dmp
memory/6064-602-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/6064-603-0x0000000000510000-0x000000000054E000-memory.dmp
memory/5500-604-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/6064-605-0x00000000075B0000-0x00000000075C0000-memory.dmp
memory/5580-608-0x0000000073C70000-0x0000000074420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 86791bfff4dc8b90edb85d36a48c6c68 |
| SHA1 | 35cce200da1412e366144ec7c9e53afd85167908 |
| SHA256 | 98f1665315b0775d0ff3360a0dc8a85e91f16427ddcd8a925ea60fe563801eb0 |
| SHA512 | 4a804fb5622a2d588307d5ad91677dd86e72020c3b28f9e8a388cd2caa0d0e418d20b4bc68c78162e99d956a342828c2a14b6829fc4b517bcd3b723836dadb64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581875.TMP
| MD5 | 9fd8a53c29bd9d7f5b787242831f6698 |
| SHA1 | e5a1c7ca0a48faced7d831954c9819261954e727 |
| SHA256 | 4433f01c469ff8c57c0ee8161c4a6fc931a079f8152d90f8b0363d1ea368766f |
| SHA512 | f79bcf329244907dd86115efefb5f7b9fda326384872e14c1551ea1344c414bd06718085c39ba73f6b70f3e5162d3ee5357aebb6daa04cdea914ca24d97c7504 |
memory/5500-626-0x0000000006F00000-0x0000000006F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bde3e9322699a193ae7d164b32708c71 |
| SHA1 | f98f80b1c1d635740a9b7320786d4900ea4875b0 |
| SHA256 | 037151c0f0648f1a5bfcfe71597f4c8d2b0027f0cb6b4ad03e8c6bd3f0406b78 |
| SHA512 | de9e22ceeb492789f262594ad0cf8af070e53f73834b571ac09ea215ff7ff319ae4448bcf72bf261226a9fe1ed0abec1206813c82b63704d10aa734460628647 |
memory/5580-646-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/6000-658-0x00000000005C0000-0x0000000000FA6000-memory.dmp
memory/6000-657-0x0000000073C70000-0x0000000074420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
memory/1944-718-0x0000000000550000-0x00000000005AA000-memory.dmp
memory/5740-719-0x0000000000BF0000-0x0000000000BF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/5740-727-0x00007FF957220000-0x00007FF957CE1000-memory.dmp
memory/5740-730-0x000000001B8F0000-0x000000001B900000-memory.dmp
memory/6000-732-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/6064-733-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/1944-716-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/1944-734-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/6064-735-0x00000000075B0000-0x00000000075C0000-memory.dmp
memory/4084-741-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/4084-739-0x00000000006D0000-0x0000000000AB0000-memory.dmp
memory/4084-749-0x0000000005370000-0x000000000540C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | b81b2eb3482efa33317c20415beaf6a4 |
| SHA1 | 34711c1bad47eb6b94c242473de396eb9362543e |
| SHA256 | 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc |
| SHA512 | e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b |
memory/1944-757-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3636-755-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5740-761-0x00007FF957220000-0x00007FF957CE1000-memory.dmp
memory/5744-763-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/5744-765-0x0000000000900000-0x0000000000909000-memory.dmp
memory/1444-766-0x0000000000400000-0x0000000000409000-memory.dmp
memory/312-779-0x0000000002830000-0x0000000002C32000-memory.dmp
memory/1444-780-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 705aa57223a9c0c26b207f97fc454a38 |
| SHA1 | e9c3f1c77c3b5b403f533d73a745adf66eb9a73c |
| SHA256 | 0a7ef1bce447895f6c5bea5947a758409f277e0424f6207750a3a178cc7ec11b |
| SHA512 | 18346567cf273f8b9e7d2fe36d5adee823b3acc304231bf55fbb3efc194a35e2a2e4caa18f34078cc220cffd8b15325738a8c7b2291c6a18a33e80f74490e6a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583da0.TMP
| MD5 | b107a65348ad7531d9ee6dc66c3da44c |
| SHA1 | e8a537ee835d8ca9cfc31b850d99d24dbc971249 |
| SHA256 | f1eb00d607f0d22294110e24ae76f14b4902a508ee3d5745425e9e5d048db431 |
| SHA512 | 537a786e56704e5343d56006cd787f682e7d3ef908aa7ef34e6b7464572f5f17a57792a266e60ee845a5482f7a14a7fd5d3f175b8c510eaa1ed20e5b1b48df03 |
memory/1944-753-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/312-836-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/312-837-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5856-838-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3764-884-0x0000000000400000-0x0000000000636000-memory.dmp
memory/3764-885-0x0000000000400000-0x0000000000636000-memory.dmp
memory/3764-887-0x0000000000400000-0x0000000000636000-memory.dmp
memory/1616-890-0x0000000000400000-0x0000000000636000-memory.dmp
memory/4084-894-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/3636-895-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5584-897-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/5584-898-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b1d4c6a96a1bdbac147994aa425b8754 |
| SHA1 | 0f5b9aa11bb5819b9a746d6e91f0a35a116b6212 |
| SHA256 | d6a1f052cfaef61bb9590699af490b1638e35ec5c4ee0c65de5d8894d80e0771 |
| SHA512 | 0c9d41bf13009600c25252efa7b105a63d56c21c534c5bd1125d70b9cdc3ff1c90282d9b412f62a7a79fb37f8488772ffcea297e485e002b82b0393175ab85f6 |
memory/5584-896-0x0000000004EF0000-0x0000000004F26000-memory.dmp
memory/3376-909-0x0000000002EF0000-0x0000000002F06000-memory.dmp
memory/1444-911-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvtzzetm.bc4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/312-928-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2840-929-0x00007FF690250000-0x00007FF6907F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bd7167d367d4bdcae4708bf3dc12dcd7 |
| SHA1 | e59963cac6c80a47f7ef463eb47673587b7d0a87 |
| SHA256 | 70b7903614fce4b12cb64a05f09badb94e4cea2263f293e0d7b2bac87be3dfa3 |
| SHA512 | da6c51bd0c51309efa671d1d7cca3557263bf6fa700726ed8556ac4cfb870e01d6487b3a3d9e1f912bdcd62764e289134fa7da4ddb716f0a007e648667d35f9d |
memory/856-961-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-966-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-971-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5856-972-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/312-1000-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fd910be9f39171fa03f468d87cbfa545 |
| SHA1 | 8330d85f81aa5d30ab46111dbc5537ce67af6282 |
| SHA256 | f73a8f8d7ea8337fb5bc5d5bf3b2562e1ff9930a1f30920f73ba46e40d9aa605 |
| SHA512 | 4aafd791133361bf86521cea97dbec9779245929474ffc3e1923e21c8808170b53bf6a04947c9d651538139069f6233e3450dc20c2bfe1d2480de332728045f8 |
memory/1616-1010-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5061c482-8324-424e-8a14-e7b0f4a8420d\index-dir\the-real-index
| MD5 | a50cc2800bb2e2edf5ab4c3d5ef7c331 |
| SHA1 | c832e222e20a63b4a1c29c7929cee152e2add104 |
| SHA256 | e6d9a0efff879453dde5273d9c67c4380bce48c5ce6e753d8b0655b7a9797342 |
| SHA512 | 22f3293d97a3cddb24710c88470afe32c9b2faa820bb5745142aacf0438c1cd481e73ed6035d8db2728aef65f021e97e67f0cdf2f00630fd654367fbe2333a1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5061c482-8324-424e-8a14-e7b0f4a8420d\index-dir\the-real-index~RFe5876a2.TMP
| MD5 | e4abfb97e9ef29e027a58ae9b9f5d624 |
| SHA1 | f91d759b0076d5d6ed1f0bff38f0f32e60038f2a |
| SHA256 | 6ebdbb8ad263304b01087138e8178d194421a5f53a2e3b92e7784f97d4e804ac |
| SHA512 | 6c6997e46a106a6aded372723fa906e89be33d2a26be37c2ad2a4fa50044779e3d5ab1a87ed73984dda432e2a29872bb9b452df7d94c1746548cb4fbdb21b343 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 16f13610e52f60f607cd67f12add3345 |
| SHA1 | 0040325fa3ff892bfff8636745bf5cf721e36008 |
| SHA256 | 0445123cbe4ec0132e08210a86bd6994dc8f55e5e4cd915734af36cfb148ddd3 |
| SHA512 | 6d6c00918d292c5b29311596291fa0e489534950de58c8df1cb4671b8bb58f5ffce9e66e6856306bcb6e53ae71d51e51f459b3e007b4059f84f67ecd7d58cb41 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b2557d0611f03dbe388e2f0a10e73a0a |
| SHA1 | ae3728e8ef1198df1408e442428910d9f860ba21 |
| SHA256 | 37e24992d2a92433f11c72309aa5a3e582f03e9b250c1ce59c4878087c0f418b |
| SHA512 | 8b758d81870e5420e015aad91de3496b0a4887b1843917acd7a5e710f31e3fb0ad954ce8ba1a94db82bb79579a50e330e0a12c94afb07aac835c2fce6ad68552 |
memory/1616-1130-0x0000000000400000-0x0000000000636000-memory.dmp
memory/1048-1149-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5068-1185-0x0000000000800000-0x000000000083E000-memory.dmp
memory/448-1186-0x00007FF6D19C0000-0x00007FF6D1D26000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 43c2570d7a2d00a914fa7a14fbeecd8a |
| SHA1 | f6b3bb1b2c3753714a668c994709cfad80edac82 |
| SHA256 | 64d62df38c0ecfe4619e0f0323eab41220ff77de118ab322584c8d103054a43e |
| SHA512 | cdd16d677ee3f8ffe8db4f8c3c6b3f764ad5b39a9dd59c87e1cae967a9a3b359b0fa7e2c870bc6381e50f430d2d8dac0a7f62797303b5d2257d063a55e0a2840 |
memory/2840-1224-0x00007FF690250000-0x00007FF6907F1000-memory.dmp
memory/1616-1246-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e8ab4f84824f5c89b109fb89a0cb80d1 |
| SHA1 | 8489def97eb6c203f418990c6b2587a043f975b5 |
| SHA256 | b027a8e4832b919a92d909c4936021806c725231625d490ea792abb12578f701 |
| SHA512 | 89e32e74064fd3d528351cb3cd07b0370dc45287dec27c52fce1c7f83b7eaa355090de28bcd3642d2b5af0299668f4547a3c1836abb023e024b1153d0fb85806 |
memory/1616-1329-0x0000000000400000-0x0000000000636000-memory.dmp
memory/5436-1334-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2ce076c5c9bba990fa7d8bd6fbf1516c |
| SHA1 | 143b0a0a25ad7120dd2fcf247dd803b5d9391d4e |
| SHA256 | 960e643eb0607cde063122f197b09050bb43a5ed67bb9ef5a20192a0f7607c3a |
| SHA512 | 071616a44b2bbab8e46e3bf0982068b9d003cf08518a4cc15d41eb1bf19595d3f4e81bec0f1ac9bff8945d3d5d9a0c4a86b5739d3300c281cc0da0498a4b1e34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1b9246bf96b8aad2883e1f0f7a8d0f8c |
| SHA1 | d986e520b58bc6f61e02482c21aba284e24f8787 |
| SHA256 | 3a7789aa16374e5de01bd719d865f271b6a7b70ad79001edf92727290de1d1f9 |
| SHA512 | 4e56943813cf2035aeef7fa570e8aba5cc97aa7b49944fcefa6c2154da0f99607089e454b3ceee05d56540b309a03ba4d90b1cab1a6b1c91d3465651bc5b54dd |