Malware Analysis Report

2025-08-05 16:13

Sample ID 231026-k32kcaeh72
Target 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0
SHA256 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0

Threat Level: Known bad

The file 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat stealer trojan

Detect ZGRat V1

RedLine

ZGRat

DcRat

Modifies Windows Defender Real-time Protection settings

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Raccoon Stealer payload

Raccoon

Glupteba payload

SmokeLoader

RedLine payload

Glupteba

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 09:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 09:08

Reported

2023-10-26 09:11

Platform

win10v2004-20231023-en

Max time kernel

96s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4532.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\493C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A4F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1157.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4532.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8725.exe'\"" C:\Users\Admin\AppData\Local\Temp\8725.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Drive Tools\is-KHOCV.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-QFFOU.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-987R3.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-E4G1J.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2P3C7.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2O18J.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-A7GGR.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-VV009.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\Lang\is-UTO9D.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-CLEF9.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-J2OSP.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-0N1MV.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-4T2MS.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-AMF2J.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-DITDB.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-E3QTU.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-MMSQH.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-GDBKB.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-C43AH.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-KTTVU.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-RO3IL.tmp C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\4F3A.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4AF3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
PID 4988 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
PID 4988 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe
PID 2932 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
PID 2932 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
PID 2932 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe
PID 4060 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
PID 4060 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
PID 4060 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe
PID 3056 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
PID 3056 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
PID 3056 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe
PID 3668 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
PID 3668 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
PID 3668 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe
PID 432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
PID 432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
PID 432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 432 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
PID 432 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
PID 432 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3668 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
PID 3668 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
PID 3668 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe
PID 3056 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
PID 3056 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
PID 3056 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe
PID 3564 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4060 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
PID 4060 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
PID 4060 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2932 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe
PID 2932 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe

"C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 196

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1DA5.tmp\1DB5.tmp\1DB6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x148,0x174,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16123523405751983624,8471195437817248918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11715136987403279359,8478760683434930365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16123523405751983624,8471195437817248918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11715136987403279359,8478760683434930365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4532.exe

C:\Users\Admin\AppData\Local\Temp\4532.exe

C:\Users\Admin\AppData\Local\Temp\45FE.exe

C:\Users\Admin\AppData\Local\Temp\45FE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47E3.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe

C:\Users\Admin\AppData\Local\Temp\493C.exe

C:\Users\Admin\AppData\Local\Temp\493C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4AF3.exe

C:\Users\Admin\AppData\Local\Temp\4AF3.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe

C:\Users\Admin\AppData\Local\Temp\4D84.exe

C:\Users\Admin\AppData\Local\Temp\4D84.exe

C:\Users\Admin\AppData\Local\Temp\4F3A.exe

C:\Users\Admin\AppData\Local\Temp\4F3A.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5836 -ip 5836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\8520.exe

C:\Users\Admin\AppData\Local\Temp\8520.exe

C:\Users\Admin\AppData\Local\Temp\8725.exe

C:\Users\Admin\AppData\Local\Temp\8725.exe

C:\Users\Admin\AppData\Local\Temp\88AC.exe

C:\Users\Admin\AppData\Local\Temp\88AC.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 784

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp" /SL5="$F0090,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\A4F0.exe

C:\Users\Admin\AppData\Local\Temp\A4F0.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 572

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\1157.exe

C:\Users\Admin\AppData\Local\Temp\1157.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8144 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
DE 172.217.23.214:443 i.ytimg.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 214.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 play.google.com udp
FI 77.91.124.86:19084 tcp
DE 172.217.23.214:443 i.ytimg.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 3665ca3d-3cc3-4552-b9f4-949b27dcf817.uuid.datadumpcloud.org udp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server13.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 80.190.68.51.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp
FI 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe

MD5 45c070db952b920b2564fb09653b050f
SHA1 95f02426bd86ecd8af5a5f7eaa947d9e739ea722
SHA256 3f7aa7a0a753e93e66ee6d752e218777de63e3a40559bf6faabf5576fa0da3eb
SHA512 06579be6f6d7465e9533bedd12dcd1a44c538396c78a0f34abd9f73162a10359736e3e6a988b7736802d10fa7b9272579647df341bee5a1c3c70683d4ec5f464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe

MD5 45c070db952b920b2564fb09653b050f
SHA1 95f02426bd86ecd8af5a5f7eaa947d9e739ea722
SHA256 3f7aa7a0a753e93e66ee6d752e218777de63e3a40559bf6faabf5576fa0da3eb
SHA512 06579be6f6d7465e9533bedd12dcd1a44c538396c78a0f34abd9f73162a10359736e3e6a988b7736802d10fa7b9272579647df341bee5a1c3c70683d4ec5f464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe

MD5 731804f286ac23b62c6951e391295dc3
SHA1 8ce9a489bbe074442b0039b6e83e1b1010761c96
SHA256 07b9a6f0b74d7083daab9dbd86faaa99341f5b7fe7f09c2bf00b4b0c1ca9d384
SHA512 08e02ad30de3d3aa3de995262a338229f78d43f30a0b030dfa7b2bd592e70d5e91fbd082b765075366b79fdf2352a90c9e348531aa9095d0ad5a18849e04537c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe

MD5 731804f286ac23b62c6951e391295dc3
SHA1 8ce9a489bbe074442b0039b6e83e1b1010761c96
SHA256 07b9a6f0b74d7083daab9dbd86faaa99341f5b7fe7f09c2bf00b4b0c1ca9d384
SHA512 08e02ad30de3d3aa3de995262a338229f78d43f30a0b030dfa7b2bd592e70d5e91fbd082b765075366b79fdf2352a90c9e348531aa9095d0ad5a18849e04537c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe

MD5 4b71097cb66757380b5ec0a38c2d94ba
SHA1 caa6264beb33a03d7c48a7161f7ee31165325149
SHA256 d8dde65c2b2dd28a17679b543ba68a44d16cd6425d660ed2fb3cec04dc48a13a
SHA512 53529523bbd921f2714929da1627e5678b1762a67d6307c0dd9d359f8f534b867c76ba40a678179a1551166e883acad8b378dd0ba1424e78b082e2f9f27216bc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe

MD5 4b71097cb66757380b5ec0a38c2d94ba
SHA1 caa6264beb33a03d7c48a7161f7ee31165325149
SHA256 d8dde65c2b2dd28a17679b543ba68a44d16cd6425d660ed2fb3cec04dc48a13a
SHA512 53529523bbd921f2714929da1627e5678b1762a67d6307c0dd9d359f8f534b867c76ba40a678179a1551166e883acad8b378dd0ba1424e78b082e2f9f27216bc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe

MD5 36024673cee80572094007a7ba08f777
SHA1 3064cf2839d807bf51504e310f04f74bbb34bf0a
SHA256 b3bc9835cbe05e8b7123c4732755b484d123251d47b9c10c8bd81d48602fc0c9
SHA512 0c7b6546689369f0ea72f596b0b5154f566bd362749da7bd43985c56d60b56b42d51fafe6684ae3aeda10bc74c0f95753e90b10f519026e4a57844e28c9e30f3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe

MD5 36024673cee80572094007a7ba08f777
SHA1 3064cf2839d807bf51504e310f04f74bbb34bf0a
SHA256 b3bc9835cbe05e8b7123c4732755b484d123251d47b9c10c8bd81d48602fc0c9
SHA512 0c7b6546689369f0ea72f596b0b5154f566bd362749da7bd43985c56d60b56b42d51fafe6684ae3aeda10bc74c0f95753e90b10f519026e4a57844e28c9e30f3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe

MD5 5591fa6d152b131e005b9ed6b89ed840
SHA1 f82e64e762cea9931fb1cfe0cb2d9d9e7967fbc8
SHA256 08e5c77bc79c414a0a179c195938ddc4adf18cf5d611872cc64946641d2eea9b
SHA512 8e610d5630bf4184458991accadaee184497d46bf8f28991236f26fc11f34e12b5b20b4f5a762056f2fbc3863d661b06c4673500624028b3579358ba4ac0ed96

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe

MD5 5591fa6d152b131e005b9ed6b89ed840
SHA1 f82e64e762cea9931fb1cfe0cb2d9d9e7967fbc8
SHA256 08e5c77bc79c414a0a179c195938ddc4adf18cf5d611872cc64946641d2eea9b
SHA512 8e610d5630bf4184458991accadaee184497d46bf8f28991236f26fc11f34e12b5b20b4f5a762056f2fbc3863d661b06c4673500624028b3579358ba4ac0ed96

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe

MD5 6dec1233e7b5edaf74e4dc71803ab6b4
SHA1 99d93d0d63b295755f5e8d6cf0c272e68224c8e0
SHA256 dbf4029ba1fda3b3cecbdcd0898ae28595b3e3560c183250122eefb5b33fcd75
SHA512 1f9390ac5636c742cd605e2864091366df52aea0fdc6172323b0d4110a760b7a201761033f3619afd13b9bc938a755c1bdfe761d5e856d55e8876e1d6eea6766

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe

MD5 6dec1233e7b5edaf74e4dc71803ab6b4
SHA1 99d93d0d63b295755f5e8d6cf0c272e68224c8e0
SHA256 dbf4029ba1fda3b3cecbdcd0898ae28595b3e3560c183250122eefb5b33fcd75
SHA512 1f9390ac5636c742cd605e2864091366df52aea0fdc6172323b0d4110a760b7a201761033f3619afd13b9bc938a755c1bdfe761d5e856d55e8876e1d6eea6766

memory/4812-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe

MD5 9046d6452dc56f767b5634b91984df5b
SHA1 2652f44290e9aa986150c1d8ab0ebfd09dbaedfc
SHA256 065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01
SHA512 fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe

MD5 9046d6452dc56f767b5634b91984df5b
SHA1 2652f44290e9aa986150c1d8ab0ebfd09dbaedfc
SHA256 065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01
SHA512 fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9

memory/4812-46-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1844-47-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1844-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1844-49-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1844-51-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe

MD5 18e8cb54afe4297f575b8e36f8435507
SHA1 f3d37745532e8d3a927e643cd4254241643592ce
SHA256 a09a41030a60089ba2d75eabd36803245a8c0d440091f051e852c8c77cbd32ce
SHA512 3dae2b0dc9f7586a9f1178ab79af188657ffbccc94d8aae28ed62ff4c5e3904fceecc5cbd9e542bd4d00a27b7e67ee67a33d73a185b420d80e148e4922ff1f19

memory/4800-54-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe

MD5 18e8cb54afe4297f575b8e36f8435507
SHA1 f3d37745532e8d3a927e643cd4254241643592ce
SHA256 a09a41030a60089ba2d75eabd36803245a8c0d440091f051e852c8c77cbd32ce
SHA512 3dae2b0dc9f7586a9f1178ab79af188657ffbccc94d8aae28ed62ff4c5e3904fceecc5cbd9e542bd4d00a27b7e67ee67a33d73a185b420d80e148e4922ff1f19

memory/4812-57-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3320-56-0x0000000000F20000-0x0000000000F36000-memory.dmp

memory/4800-58-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe

MD5 7314f5a7e85457f5c2158ec8284a4b68
SHA1 d0fe48e2652816ab7a1177424827a626d055f57e
SHA256 233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e
SHA512 8ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe

MD5 7314f5a7e85457f5c2158ec8284a4b68
SHA1 d0fe48e2652816ab7a1177424827a626d055f57e
SHA256 233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e
SHA512 8ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3

memory/4812-65-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3320-66-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-68-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-69-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/3320-71-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-70-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-67-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-73-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-72-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-74-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-76-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-77-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-78-0x0000000007F00000-0x0000000007F10000-memory.dmp

memory/3320-79-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-80-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-83-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-81-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-85-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-87-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-88-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-90-0x0000000007F00000-0x0000000007F10000-memory.dmp

memory/3320-91-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-92-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-93-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-89-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-95-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-97-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3320-98-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/1360-99-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1360-103-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe

MD5 485ca334a9cccf3c67f3bc2f5818e438
SHA1 70677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA256 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA512 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe

MD5 485ca334a9cccf3c67f3bc2f5818e438
SHA1 70677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA256 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA512 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 485ca334a9cccf3c67f3bc2f5818e438
SHA1 70677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA256 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA512 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3

memory/1360-107-0x0000000007C70000-0x0000000008214000-memory.dmp

memory/1360-108-0x00000000077A0000-0x0000000007832000-memory.dmp

memory/1360-110-0x0000000007770000-0x0000000007780000-memory.dmp

memory/1360-114-0x0000000007970000-0x000000000797A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 485ca334a9cccf3c67f3bc2f5818e438
SHA1 70677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA256 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA512 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 485ca334a9cccf3c67f3bc2f5818e438
SHA1 70677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA256 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA512 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe

MD5 f87b7e6becd44618753e035967c8bc97
SHA1 85be3124ab32215ec98b2e28239c743d3c47bb65
SHA256 081b4842b5f44def9feaedb09130cd43a53b0c6c009e87318f9135705b258398
SHA512 b9e72eaaf00d26050425a0758a8e6725544336c4ece254b491288041f30396813bcb5a54e57dccab115d324dcf5e2287c5f4410a0e17f3635f767b227e84c1d8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe

MD5 f87b7e6becd44618753e035967c8bc97
SHA1 85be3124ab32215ec98b2e28239c743d3c47bb65
SHA256 081b4842b5f44def9feaedb09130cd43a53b0c6c009e87318f9135705b258398
SHA512 b9e72eaaf00d26050425a0758a8e6725544336c4ece254b491288041f30396813bcb5a54e57dccab115d324dcf5e2287c5f4410a0e17f3635f767b227e84c1d8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe

MD5 f618643bee2aa9e0e4638eef2c79c7f9
SHA1 42386067fea65158cf37c37205480c75c1f720ab
SHA256 e04b98a1ec88ebed5aafc755de5d358205e5f808fbc0c3c9644b5d0342b92113
SHA512 8ff98362ff36d92be50a3c22f1f41ab57b287f161b214d03db490dc18f83c8afd6deb25913b2a71ab077f69f2ccd9769b43a5d1f4c2fb8027ab81c07f43edbc4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe

MD5 f618643bee2aa9e0e4638eef2c79c7f9
SHA1 42386067fea65158cf37c37205480c75c1f720ab
SHA256 e04b98a1ec88ebed5aafc755de5d358205e5f808fbc0c3c9644b5d0342b92113
SHA512 8ff98362ff36d92be50a3c22f1f41ab57b287f161b214d03db490dc18f83c8afd6deb25913b2a71ab077f69f2ccd9769b43a5d1f4c2fb8027ab81c07f43edbc4

memory/1360-125-0x0000000008840000-0x0000000008E58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DA5.tmp\1DB5.tmp\1DB6.bat

MD5 376a9f688d0224a448db8acbf154f0dc
SHA1 4b36f19dc23654c9333289c37e454fe09ea28ab5
SHA256 7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512 a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b

memory/1360-127-0x0000000007B10000-0x0000000007C1A000-memory.dmp

memory/1360-128-0x0000000007A40000-0x0000000007A52000-memory.dmp

memory/1360-129-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

memory/1360-130-0x0000000007C20000-0x0000000007C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e9a87c8dba0154bb9bef5be9c239bf17
SHA1 1c653df4130926b5a1dcab0b111066c006ac82ab
SHA256 5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5
SHA512 bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e9a87c8dba0154bb9bef5be9c239bf17
SHA1 1c653df4130926b5a1dcab0b111066c006ac82ab
SHA256 5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5
SHA512 bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

\??\pipe\LOCAL\crashpad_3468_KFSGNZYXEDYGLHNN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_4808_WAPZWYUYOJXSFSED

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

\??\pipe\LOCAL\crashpad_2104_WHRVNUXTBJIZFVUB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 07c0799f041fd561622f5b4e5d4651e6
SHA1 93b1da78852b003864a9e6587e790284a4b69af6
SHA256 58706f7ec054dce1e89234f3a642d563650818ad2058edf0507cc92055e5f6b6
SHA512 c9a04ce1022d0250b587791144abac99948bd8821837892c595344fe8450eb709bdfd27a73c0cc02b6166f3512499560d471da43e5decba50c05be8cbb5d42d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6cafafdc33f9ebbe3a7167e77f2eb7cc
SHA1 e6d20199ebba7b986b015e853356659f3c2f467c
SHA256 ac417c9c51fc9aebdfbeeda04c913b9c6fab8845de9435dc81885f30ba149033
SHA512 236495b61dd715d554d6a193bd2a767ce86342a7c0d7148c304c7c7f28d212a92c00d104a52b9e0e823d3b2c953ff4950398e61e2987693e9f5a988fae5460ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6cafafdc33f9ebbe3a7167e77f2eb7cc
SHA1 e6d20199ebba7b986b015e853356659f3c2f467c
SHA256 ac417c9c51fc9aebdfbeeda04c913b9c6fab8845de9435dc81885f30ba149033
SHA512 236495b61dd715d554d6a193bd2a767ce86342a7c0d7148c304c7c7f28d212a92c00d104a52b9e0e823d3b2c953ff4950398e61e2987693e9f5a988fae5460ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 71317137404ee085e72fbf81365e6b27
SHA1 b785d9c4895c3f7434005c98457797b291653ac7
SHA256 0e6f479d1deb2e12dd1301e543b44f8d900cdb2832085a9a2b99ac924d773463
SHA512 94401512327e63458d4a7b8cd28834f613d0198c659d2a4bad1857e4727ff0a6f62aedadb60b1d9eec3807042c81c108435fbe2c9236cbca2dc605e0582da1f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 07c0799f041fd561622f5b4e5d4651e6
SHA1 93b1da78852b003864a9e6587e790284a4b69af6
SHA256 58706f7ec054dce1e89234f3a642d563650818ad2058edf0507cc92055e5f6b6
SHA512 c9a04ce1022d0250b587791144abac99948bd8821837892c595344fe8450eb709bdfd27a73c0cc02b6166f3512499560d471da43e5decba50c05be8cbb5d42d2

memory/1360-223-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 485ca334a9cccf3c67f3bc2f5818e438
SHA1 70677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA256 63736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA512 80bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3

C:\Users\Admin\AppData\Local\Temp\4532.exe

MD5 107010beec076341ed4728108616ae14
SHA1 d521c427abf30e3dea44b2e3a6715310b13d5236
SHA256 a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
SHA512 c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78

C:\Users\Admin\AppData\Local\Temp\4532.exe

MD5 107010beec076341ed4728108616ae14
SHA1 d521c427abf30e3dea44b2e3a6715310b13d5236
SHA256 a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
SHA512 c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78

C:\Users\Admin\AppData\Local\Temp\45FE.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nn31zD.exe

MD5 98a2734462446ebf5db975552f8c3c8e
SHA1 c75f3c8fbe8525612e77567a0ecd9ecb64cc661c
SHA256 910708cc129975a0a98380675d997f51d329d0dec207f7dfcf0b1bb894169742
SHA512 a262383efa2c8444ee57f40a5ffe7fd6ea4d837ae4104b28f573a7e5ceb094aeafba81b64be8eb52dd8dcb14f786a17e4afbb6b144f64731bd860abe6f31a46e

C:\Users\Admin\AppData\Local\Temp\45FE.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\45FE.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe

MD5 5e5e0f3b6bd23c17863a01d7e4439671
SHA1 2ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a
SHA256 db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab
SHA512 545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe

MD5 5e5e0f3b6bd23c17863a01d7e4439671
SHA1 2ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a
SHA256 db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab
SHA512 545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe

MD5 e7f0ff0fc5d8ea2d182ae44634559875
SHA1 a7b2e67408a3f1d28d494c8a28089ca6347e3bff
SHA256 d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154
SHA512 cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe

MD5 e7f0ff0fc5d8ea2d182ae44634559875
SHA1 a7b2e67408a3f1d28d494c8a28089ca6347e3bff
SHA256 d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154
SHA512 cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lk719Ok.exe

MD5 7314f5a7e85457f5c2158ec8284a4b68
SHA1 d0fe48e2652816ab7a1177424827a626d055f57e
SHA256 233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e
SHA512 8ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3

C:\Users\Admin\AppData\Local\Temp\47E3.bat

MD5 e3df28bbdec9b43526669c0648443dbf
SHA1 81bbb1c5aea563f91bce61cf79f3cfc7f69d760d
SHA256 7b573c1cbda5ff15ce7ec01d2d7cc7f0cb6989ac833d257d3f8e6e7a61b24ddc
SHA512 fa2f26347174e260b09e6b7e035e6ff2a9dc0293c886255db3a19927ee35df4b318b712f3366bbf8f0f814cfde08bf60c81c639f2f345e3714f6110b9bc33f62

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe

MD5 ee6710d772b4fa041ae3a6f57e8d7c05
SHA1 92345b8a2ece6d56842520922dd9f656cf347e96
SHA256 73b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698
SHA512 d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c

C:\Users\Admin\AppData\Local\Temp\493C.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe

MD5 ee6710d772b4fa041ae3a6f57e8d7c05
SHA1 92345b8a2ece6d56842520922dd9f656cf347e96
SHA256 73b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698
SHA512 d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c

C:\Users\Admin\AppData\Local\Temp\493C.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

memory/5288-331-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5752-349-0x00000000008C0000-0x00000000008CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe

MD5 9046d6452dc56f767b5634b91984df5b
SHA1 2652f44290e9aa986150c1d8ab0ebfd09dbaedfc
SHA256 065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01
SHA512 fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9

memory/5752-351-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5288-354-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/5836-358-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5836-359-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/5836-364-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22abd056c5644fbba471fb012fade977
SHA1 6a226f4a66a912248d7a8a4b43afad7c944e7dd4
SHA256 8ab508b5349e7ccc679b8ea80af86ecd2a936bdac423d413e8d6fd69150babb8
SHA512 1232252a069948c214a7af1de97eaee85f9c391e76b2638de6a20d24a8fc4c0132cbe3f83464f0ad09720ab9c6ed8cea57b3cccc59d78572a6a908bd56577758

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 3a748249c8b0e04e77ad0d6723e564ff
SHA1 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256 f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA512 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4fc15d0cc61569727482f7d73ff74dd1
SHA1 84bfd1642143e2bc8e256ee3bf604926c47a1c49
SHA256 b6bcd108dc56cb91c3889195edf90ba92d708901ced7b968c7cddad3a4376ec7
SHA512 aeba492b1286b034a2769f53aa2bb1a14485a9ba313d828dd8b79a55a8532968b2586a60df6ebd0ae7ef2aeaf6d93f81ecb71c1e22fa7df5fc117f0a3054aeaa

memory/5836-413-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5836-419-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5288-428-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5752-431-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3656-433-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-434-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-436-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5288-438-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/5020-439-0x0000000000010000-0x000000000004E000-memory.dmp

memory/5020-440-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5752-442-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/4224-467-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4224-468-0x0000000000890000-0x0000000001276000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b76c361694f2709057c4118729dd6874
SHA1 e65845c0639be1ee3a9829063866407f0507eaf8
SHA256 34d60d303ac766ff31ce08e522c3d6f8b1d5fe0e5d4917b1a524b06a90f7f8ab
SHA512 b42891d987baf945052b1766db9bd8d406c71541f264702f8f1d9103eb6c5b282e7af921d448441ff7eabf692526211e7309b1fd6dac0f3a5c91194f0582750f

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

memory/2516-524-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2516-533-0x0000000000710000-0x000000000076A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5416-537-0x00000000000E0000-0x00000000000E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5416-546-0x00007FF910480000-0x00007FF910F41000-memory.dmp

memory/4224-547-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2516-548-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5416-549-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/5020-550-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5020-552-0x0000000006F80000-0x0000000006F90000-memory.dmp

memory/2516-558-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 f521630a23b8bd0f2260fefb2c596495
SHA1 014454c72bbf67b103372cc8f9b965ed6b83b74f
SHA256 99076c101d2d20a0f7c97376e330f7b39ee5dd6885582f49eff6c041973fc3f1
SHA512 4e033586834f15bc471184706cc10822ac6be52a2639df7b5973f14fda7bd440829f15e7ce112049c6d04cb445ef5393943ed47e19c2107bfc063db13d6e0d4d

memory/2516-564-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5140-568-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5416-572-0x00007FF910480000-0x00007FF910F41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a41b.TMP

MD5 5cc4538b07c8f34a247c6d48c2261b0e
SHA1 f0b65d86d1ccda4b1f1cdbdf138048d4080c6b74
SHA256 6d779d5a4e89eb054b3cfe1f3915820b6e74322e3b3162546c83d8b4ee223b57
SHA512 9b5bced25890ecd69b2869881b07c864f72764ebd467889dab49868262fe45bcdb127c91490b8300772908499ba111b1df8d33f1b803b677410b623acb8001c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8c359756c68ee738e048a20f0448108d
SHA1 c1da824b903a2c22a7e1e5c1bfdbbfbddd59f765
SHA256 4e9d40b60e35dc7a6ed8527e26ae49195f5866a162bfd6d9c0e48f69bf77c7d3
SHA512 06735de224699e7db24f6a72e65171a6539a3ebc32b390120e9f85147a4e3e5ec757639bdaaeabbe8f5efb1422ca0d66b367977beca205fcc05ae32de813fa84

memory/6084-598-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/4240-600-0x0000000000340000-0x0000000000720000-memory.dmp

memory/4240-599-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5900-647-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1316-660-0x0000000000400000-0x0000000000636000-memory.dmp

memory/1316-663-0x0000000000400000-0x0000000000636000-memory.dmp

memory/6108-668-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5648-669-0x00007FF756D80000-0x00007FF757321000-memory.dmp

memory/5900-686-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3320-685-0x00000000084A0000-0x00000000084B6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 00dc05c447c6740fd73bc621115297dc
SHA1 9470771fc370a685748c564f84bdbf07b66ad7fc
SHA256 91fadadd0724ce9b773c110ab1dc216a212e22f4f33b7aaec55029a8b54b7a51
SHA512 2631c262405a04f433a018e9c11499d68e32ad4de696f59b3578a2c0974d3ac08f860e420dd21f55ee456f007fcc5ff533adb089a148de287d6b16a43b78d31c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1kyplwh1.ovt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1508-741-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1508-745-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1508-749-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8a336ddfe8c1d49cd38a347ad707c36b
SHA1 c8a9255d432684e04d5b2179407a4a0950d32c26
SHA256 3920e4ee446b70e4cad86c2d588ff3ba7145893b2cd2403210615c819044907e
SHA512 d1c31e8d5a8c0d6b8891c021a6869cc5a593dc58f138bfba427a1ebcf8c52d70aac07b408afb208127383f0667cca49d82a56d6046775a92df7396397e31c7ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3765fb3e9e7747734556a785c280bb6a
SHA1 f96bb7f089d35ff65141b340b40eba0ea1f0e57f
SHA256 694160fe8781796e8a445e5320e81088f46a224252f57d091922278796b93576
SHA512 21bd87ae5cd67d9399ce24ddd984bf5e1b0d9c61b8007eb450e801fe0088f51b503919a2a8182f879abe08351529b5b8f4915ef523c387cb0c31bd3c86ef0cb0

memory/6108-774-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/6108-821-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a695d51c499897c8fe97d4fb63ef2b5d
SHA1 669a44936e6d3ebb34c856c686038db287415aed
SHA256 3b54d651cf14ca9dca9ae8e5ce4ac9a828b457a2d6f2165eab11e786c0014401
SHA512 5985ce9d5e4bf2229fc29a2854bfd9f521f1fc5ac5957ad108a37c12b54075ccea15783a8c95fa055b619f98b32b8af4d16291edb73fe94900068d0c3737be0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e995d18897d6713452b8639bd30b46e5
SHA1 6b3651fc2abfb886559669548726370ea007d354
SHA256 d70011f15fe5000c018986e0846eab0d20248f870e4247c1201ab9174ba31cd2
SHA512 1cf6bdd89edc5aeb31635ee2b64ba87a80c189ba8055c9fc77d1e23d46966f56968fcf6565cf1e55021b50b85e8512bace6200e25e45d59482c022a9105c7a65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d49696f0b63bb8d34e695b667c2efd68
SHA1 c5a5bfba74f5b7329257075c5c0750e03b3db2ba
SHA256 1cf5a22c5295a9494e85b5ce1d387b2a2b6aeb4da3bc79ada879f1aecaad644f
SHA512 9ba6611b33b2eaf26b4b3f7b85a64034af2301102d219e5a0879e33154f24306c259d49fc41328c5fb36b78df5aa536e74b0ac2ba1a7ded2c69f751b05f1e07d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3ee88b924d8e6322aff109dc6d81f343
SHA1 f2c06daaa55d171c92bcfd777dbe2cca13512a3a
SHA256 9e78daed4515b5edafa1e15eb10de64bf8acd6355ddd09ff50b9731ae026c7a2
SHA512 bceb069c6a7ab29b68ba704079c57734cb66746ef00d114335e7e0c1f42144a3ef7443b5a29ee7987989d2e0bb0d6416afbfba23ab5f53f6e614d479ae9fc815

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f1f0dad27869f33c4d000037c0ca901e
SHA1 a06495765d0b6ba246ccd58e5a6860afd230dc32
SHA256 275884804c9336182bc36bdc7d2ccf9775925b5154c728518152f36649f9e17b
SHA512 dc72600519105ecb7a65320e741e1a6a4cf49e1b6bc681f8763d77658512b362ea3410fd53dfee9a80b091a19d6ad8b5abdf5fa450f29281ffa8f851f18ce9e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 229012f14d951ccfefe7ca58a5085537
SHA1 6a65bab8ff7a187f0f20c90537a307d32211f5a2
SHA256 fe0b1ec19bb1e5cea4911cc96f784939eb21460e8a4926ed9759ed114238c9ad
SHA512 51a02e5b82304820af88eab9b3b4891bcf5bf559cd833ad3a5f87a71b9c43e9030a6b24654fe5269c84f6094ca9d8b22b6e7b8db189f1988bc32459b2a4bb4e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8e60143b1ceb95b04e859bb0cc14175b
SHA1 31cc8dda786ef4593c2d27473bccaf2641b93e7b
SHA256 8a8ee4da0b14f5473c42ad351faa08db94bd6728d7befb33adc44547b9fb4cc4
SHA512 c0f0238faf64b8c79435bec4c4d260c98087cbc10637192eb93bb0d5457789fc4e0cc579cc95581dd9ca4800d4074daaac576e5b1b1011c8b6f1f38ed1c31fe4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1f779a63292035dd614c71ecb9cec0c7
SHA1 1e765e2be3d4b5969bfe6be7baa8cfa04d3d3374
SHA256 1f2fdd98cc213b4851cac588a3a052d1b137d91a350f30216dc20f16ce280ade
SHA512 2644b96c24f816843441beb584fd6cd09633e956989aff29d3226666ed184e60edbb2b72158ea733297d73834f9b42e406771a65549860db8a71a03ad83da90c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f9359eb6b0d42a99ac54dd9c065185ab
SHA1 2734818db16473f6d022ea4d5e3d28a9d9ba6054
SHA256 6fbe7e888e00ec2c302822d28b2215ffd29d6fcbf904c4ff0dbdfdddbba5f081
SHA512 ae3400365e999e53bcde6e525b6881bf7a24b16274382b846df167e3e74f7db8ffe7050166caaa42d6bc9f80873654bd8cce898655274e884d49fe435c15f980