Analysis Overview
SHA256
7fac1ac642fe329e3da6980f6840f824b944d355b8924411ac1d0ba5ead89e24
Threat Level: Known bad
The file 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186 was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
ZGRat
Detect ZGRat V1
PrivateLoader
RisePro
Detected Djvu ransomware
SmokeLoader
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
DcRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Checks computer location settings
.NET Reactor proctector
Executes dropped EXE
Modifies file permissions
Windows security modification
Themida packer
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Deletes itself
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
AutoIT Executable
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Checks processor information in registry
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
outlook_office_path
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 04:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 04:43
Reported
2023-12-12 04:46
Platform
win7-20231023-en
Max time kernel
120s
Max time network
149s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5a4fea48-532e-46bd-a5fb-55aa68532561\\B859.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B859.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected google phishing page
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9E72.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9E72.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9E72.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5a4fea48-532e-46bd-a5fb-55aa68532561\\B859.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B859.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\FFA6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9E72.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E72.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1828 set thread context of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe |
| PID 2512 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\B859.exe | C:\Users\Admin\AppData\Local\Temp\B859.exe |
| PID 1548 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\B859.exe | C:\Users\Admin\AppData\Local\Temp\B859.exe |
| PID 2088 set thread context of 1048 | N/A | C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe | C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FBCA051-98A9-11EE-889F-76871049679A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FC625D1-98A9-11EE-889F-76871049679A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3014B331-98A9-11EE-889F-76871049679A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{302A1F91-98A9-11EE-889F-76871049679A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9E72.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\DllHost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
"C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"
C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
"C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\93A8.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\9E72.exe
C:\Users\Admin\AppData\Local\Temp\9E72.exe
C:\Users\Admin\AppData\Local\Temp\B859.exe
C:\Users\Admin\AppData\Local\Temp\B859.exe
C:\Users\Admin\AppData\Local\Temp\B859.exe
C:\Users\Admin\AppData\Local\Temp\B859.exe
C:\Users\Admin\AppData\Local\Temp\E285.exe
C:\Users\Admin\AppData\Local\Temp\E285.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5a4fea48-532e-46bd-a5fb-55aa68532561" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\B859.exe
"C:\Users\Admin\AppData\Local\Temp\B859.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B859.exe
"C:\Users\Admin\AppData\Local\Temp\B859.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FFA6.exe
C:\Users\Admin\AppData\Local\Temp\FFA6.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe
C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe
"C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe
"C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build3.exe
"C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build3.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1460
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build3.exe
"C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 172.67.167.33:443 | edarululoom.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | genesiscarat.com | udp |
| RU | 92.118.112.94:443 | genesiscarat.com | tcp |
| RU | 92.118.112.94:443 | genesiscarat.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alata.com.sa | udp |
| US | 192.185.30.176:80 | alata.com.sa | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| RU | 109.107.182.45:80 | 109.107.182.45 | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 175.120.254.9:80 | zexeq.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| KR | 175.120.254.9:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | community.cloudflare.steamstatic.com | udp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 172.64.145.151:443 | community.cloudflare.steamstatic.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 216.58.204.68:443 | www.google.com | tcp |
| FR | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| FR | 216.58.201.110:443 | accounts.youtube.com | tcp |
| FR | 216.58.201.110:443 | accounts.youtube.com | tcp |
| RU | 81.19.131.34:80 | tcp | |
| FR | 216.58.201.110:443 | accounts.youtube.com | tcp |
| FR | 216.58.201.110:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| FR | 216.58.201.110:443 | accounts.youtube.com | tcp |
| FR | 216.58.201.110:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| US | 92.123.241.50:443 | store.steampowered.com | tcp |
| US | 92.123.241.50:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | store.cloudflare.steamstatic.com | udp |
| US | 104.18.42.105:443 | store.cloudflare.steamstatic.com | tcp |
| US | 104.18.42.105:443 | store.cloudflare.steamstatic.com | tcp |
| US | 104.18.42.105:443 | store.cloudflare.steamstatic.com | tcp |
| US | 104.18.42.105:443 | store.cloudflare.steamstatic.com | tcp |
| US | 104.18.42.105:443 | store.cloudflare.steamstatic.com | tcp |
| US | 104.18.42.105:443 | store.cloudflare.steamstatic.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 3.88.245.197:443 | www.epicgames.com | tcp |
| US | 3.88.245.197:443 | www.epicgames.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| RU | 81.19.131.34:80 | tcp | |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | ocsp.r2m02.amazontrust.com | udp |
| IE | 163.70.147.35:443 | facebook.com | tcp |
| IE | 163.70.147.35:443 | facebook.com | tcp |
| GB | 52.84.137.125:80 | ocsp.r2m02.amazontrust.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| GB | 13.224.81.88:443 | static-assets-prod.unrealengine.com | tcp |
| GB | 13.224.81.88:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 52.203.30.102:443 | tracking.epicgames.com | tcp |
| US | 52.203.30.102:443 | tracking.epicgames.com | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| IE | 163.70.147.35:443 | fbsbx.com | tcp |
| IE | 163.70.147.35:443 | fbsbx.com | tcp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
Files
memory/828-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/828-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1828-4-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1828-5-0x0000000000A20000-0x0000000000B20000-memory.dmp
memory/828-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1192-7-0x0000000002A20000-0x0000000002A36000-memory.dmp
memory/828-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93A8.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\9E72.exe
| MD5 | bd4501437676c91ef99e5491df7f5352 |
| SHA1 | 739ecfc872571d9eefd4269c952f586895285b93 |
| SHA256 | 797b384a7ba7f78f9c055a1b19538abec0552a0e14109a9494f4e19eddcc1cea |
| SHA512 | f9fcb59a58faa71c835a93c2ed2d7cff2ff6dbd90e8e7ab76179731ceb924a41653a1d24698c2a1dfc34699abe1e3acb83827ba212adc78ed87afb468dcb3354 |
memory/2524-28-0x0000000000A30000-0x00000000014FA000-memory.dmp
memory/2524-29-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-30-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-31-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-32-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-33-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-34-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-35-0x00000000775A0000-0x00000000776B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B859.exe
| MD5 | 454440503db62af8520be0827389df6a |
| SHA1 | 473f9a477bdb8a408e7fad05e858dbbaa76f1dda |
| SHA256 | b816a1f49cf7a431b9c23d32cb60eb6bae72d88b23b19a861e5f690488b00d57 |
| SHA512 | 6c7f3847a00033394f5b8adb1fadb177b6103ccd6a9205dd2dad45e550805a0cf8295df2353bbf62ce9e629c3218e6c44621f716ebef23931b34ba4102debc15 |
memory/2512-42-0x0000000000950000-0x00000000009E1000-memory.dmp
memory/2524-43-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2512-44-0x0000000002220000-0x000000000233B000-memory.dmp
memory/2512-47-0x0000000000950000-0x00000000009E1000-memory.dmp
memory/2524-49-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2992-51-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2524-54-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-55-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2992-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2524-57-0x0000000000A30000-0x00000000014FA000-memory.dmp
memory/2524-59-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-60-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-61-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2992-62-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2524-63-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-64-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-65-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-66-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-67-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2524-68-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-69-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-70-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-71-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2524-72-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-73-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-75-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-74-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2524-77-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2524-76-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-78-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-80-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-79-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-82-0x0000000077D90000-0x0000000077D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E285.exe
| MD5 | ab0443c4b5ae89cd913377183852ecb3 |
| SHA1 | 23cf5fb65377cfe0af63adede50c50fb24dc32ab |
| SHA256 | 8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237 |
| SHA512 | 149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b |
memory/2524-91-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2160-92-0x0000000000F10000-0x000000000104A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarE5B5.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\Temp\CabE583.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b81883a2de105d4b910b50d2962a5fe |
| SHA1 | 50f44de1851b5b7993cf49f00dc8c5e9ec7467bd |
| SHA256 | e2e9823c5a6e936a2e892d3fb2412c9a96fae36fc9cb36a38379a725a39ce10c |
| SHA512 | 8b5d9d8baff6db4c6a56cef4796a34f90a31df93515d22ff516fecde408911ac1ea4cb80c35de8a050026a58824edba2c5cbaabf4ba26563ff36d411ee2ecb83 |
memory/2524-128-0x0000000000A30000-0x00000000014FA000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarE695.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78784b37d627a4b60015e0fa0e8c32cc |
| SHA1 | 8a8bd1c2a8818b897f592b6b1dd58c9e91c943d9 |
| SHA256 | a0066d4f30782556b3e77bb11e6e17e15bd519e5711e616434fcaa91895849ba |
| SHA512 | 84fd39329015672aa03ba6b00f4d4ab6e3a204d19d5b1fe99e4b40576dc7160f032b24fa74a7c4d32e2c757f0b1232d26a5b371d6d5a6dfcb50cdfc2ed8957f5 |
memory/2160-166-0x000000001ADD0000-0x000000001AF00000-memory.dmp
C:\Users\Admin\AppData\Local\5a4fea48-532e-46bd-a5fb-55aa68532561\B859.exe
| MD5 | eaa726d206d39063dfecfdd68857d7bf |
| SHA1 | 82d9371b5df7a23b949208c673f36f0245115aec |
| SHA256 | e644583c8334beb8f7dbca7990ad19b6dee04ec24d4a9a99ec91e5f5f563c2f0 |
| SHA512 | 149a2e846503cb6dde21a3dd92921e1ecc7320d154c7d608169860d236f940f5318895f1f73375a59adfb37dfb0cf5fec48d15bb201bced15504f44c3557ac86 |
memory/2160-179-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
memory/2992-183-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2524-186-0x00000000762D0000-0x0000000076317000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B859.exe
| MD5 | d07e4f771de5483e0c5c3204f23e36b5 |
| SHA1 | f86faa7ed964557629ae0cc043ffc4e23f772513 |
| SHA256 | 1fd098d314766ad525bae8a3207233c8a2a348bb9d00b0178b414f678377ba9f |
| SHA512 | 9a2e526b7bc8543849c8dcb352526279111ac9fcc04730bd3d0f40f3555a859ab5a88277f1760babaa7950e9682cf131f07c1e61f2325c9581b45e62573b7ad7 |
memory/2524-187-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-180-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2160-189-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-188-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/1548-193-0x00000000008E0000-0x0000000000971000-memory.dmp
memory/2160-191-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-194-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
\Users\Admin\AppData\Local\Temp\B859.exe
| MD5 | 64c8d7df345288651a1faec7dc15d77d |
| SHA1 | 08bc880bd937a47c99e5f937db8aa038a17e61f5 |
| SHA256 | 8e31b221143b8eb7cd160e1ca90ea9936e29f7e40a7666e1dd41f27f306a0ba6 |
| SHA512 | 4d2134c641e1ba898332dfb30b5ceaed51bca943bc58237d73628aaacb7795bbfad8c413bcdaed5248c9b418db30965b0d112dae25e099b8972cf91cee51be68 |
memory/2160-196-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B859.exe
| MD5 | 1e954aa193ddb4a0765aa96967e85ecb |
| SHA1 | a248401fcd934d49c3ed6ab13d827630861efe30 |
| SHA256 | ecf150b2e50982f693e8f4734638f240f3c3af4113208dad6fd4d127b6daef17 |
| SHA512 | e9cdd6bea6a6a6e9d58908f48954dca0ae614170111ab27103575658f5ab50c742b542ca09069bd1143169f633a52db07b6457f1ee11e73a7b2e5459da1f625d |
memory/2160-205-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/1644-207-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1548-204-0x00000000008E0000-0x0000000000971000-memory.dmp
memory/2160-208-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-210-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-214-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-212-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-216-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-218-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-222-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-224-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-226-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-220-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-228-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-230-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-232-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-234-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
memory/2160-236-0x000000001ADD0000-0x000000001AEFA000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d568f5ae1bc00b43e7aed5089f4406a2 |
| SHA1 | a775d20b5f877c614e3f4dd098cf0cafabc39673 |
| SHA256 | 9fcf07bf04b0fc5804bc0efb9d79a93066c8facd480f9f1021c5fa4f97581dd4 |
| SHA512 | 39989718f01aca4bfa9ac0cd0e7763f3ee797efe8ff997cca3ed580603d4c72af26b119e8989af7c6e885132b33ae10ea01ba5423456f0093297de87de368c98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 3e61f1b5c83d57794fb57876a8ce4886 |
| SHA1 | d69fb46fde92526ba21a2ee39d9b98445310a71f |
| SHA256 | 44c1f59f48fca1dbbcb999232154f060a74d760bdb510accace016de59ed4233 |
| SHA512 | 1bc86558d62a6730c2ab9b2382d68b5b35feef499b489c595ffc9fc4b776d63c0f23afcaef91b008bee22145d92067c7344d2f45ecc8d78d5bbe64ac1b2a1cdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 15c5f569a4de2974c25e3d7560f6b22d |
| SHA1 | 9dc545ff755a75b23fc7bde2dfc093644d05c2a6 |
| SHA256 | be7817bdc0b451577273c4e8369c663606d72fbeb9cc5464ecf555325ed576f1 |
| SHA512 | 49e69879afc48b99dff9c9a473a86c65e2d09bd89a8e6c990ab29e7af3f5ac8cae5770d913182fc2c6a56bf243593f61738b7a1f5ff48d4a4905fe8e0a52d161 |
memory/2524-309-0x0000000074930000-0x000000007501E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a773756f51d852452e2bf94a00fbc388 |
| SHA1 | 6f5866646b49ef57f55284172c3a94bc1b9eaa7c |
| SHA256 | d38122db03a5c6e9cf92810e0a34f4bffab71afbe95b61cc6ed2d2e1001ba29f |
| SHA512 | a4465108cf1845babbc9ddf092e193373f838486999f7d924b6b82a3180768d496a50b9e996a8917167f0ceb7cb9f63894417699a4e2f43340b30b3f9e861eff |
memory/1644-315-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2524-317-0x0000000005240000-0x0000000005280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFA6.exe
| MD5 | 4bb4f3afd825af2cccaf26798c188e45 |
| SHA1 | 76ec0363e57f7916a6ed8939fd90f480012c3ba3 |
| SHA256 | 5ea32b689e55e85ebfb542e49be263bffd854b02918a4c06bc4d5ed2abf56448 |
| SHA512 | 4baa62d3f6a22ff4d566be08d816e746036b8328a727430267429065aa865518b12fccbb0e132b235ad50370bb5205281a8cdc5570818a0e548a45334eeede84 |
\Users\Admin\AppData\Local\Temp\FFA6.exe
| MD5 | 479ef89ea0e7cf200f9cef5777bd4b2d |
| SHA1 | 14a5885aaaff80768aabe352f2f6a7aca10641de |
| SHA256 | be134c8b19ba837c86ce7577c8134d1b70711af823ce8b60f3a188ba639cde10 |
| SHA512 | de34cb1ecd6f1d4086e3714595c963423f5168a5022993950bf6927444a35124b0ae65e961979a42eb2cbe9338f19653b9cc712c7ebf726ed3a5b31158facb08 |
C:\Users\Admin\AppData\Local\Temp\FFA6.exe
| MD5 | 59e796390bb4321adc0ebd302094168f |
| SHA1 | 6a04c07b18576501fe698da0482e6c0c560be598 |
| SHA256 | 5d007d80b4ce6de736166b84eb9d9eee58b875ad2c22f3a9cf29bdf91d5b8ba6 |
| SHA512 | ad5859876a5a0c1b2b8670f28f56524184f4e12d1f8d15c32be48732168d773d695739a335339f99a362a172e1fa07fc481a8e4f3e76bfab7c5454780643a92e |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
| MD5 | 5177f9d2842b74a2be7f5aba232faffd |
| SHA1 | 9b6c926c477183ff5682d2afe0cb62de976379c7 |
| SHA256 | 3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63 |
| SHA512 | 6fa2f49b55f799a8f82a8d520db344383f645c834291d731278a08e344309a9d7064ab6123e56d43a00fadbbd79694d85355b011a145aadc607137bc26befd15 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe
| MD5 | 3e05dfccb1b88983cfb2c652c6973ea1 |
| SHA1 | eb7f4d4317f7d23b5f177c732da869d5c7bfb88d |
| SHA256 | 2cb56a18d5a233d3a83f79902a05814b3ac113a0d05d00ec863ae45315166387 |
| SHA512 | 5df68fbf976d6218df6deb2eea273e947715726987e08cd66fcbb81741d4ae7581d2f1784883b7977e9a42ac18d06478cb62ca426b62445985e5fd384926bcac |
C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build2.exe
| MD5 | 2449def686158fff9801f567489d9c1f |
| SHA1 | a26a611f6c8f43745d69a6138e07f8f32b09fa3f |
| SHA256 | 4230571aea510591a55384cedd110eb4c220014ccda30d2d7018dcee89c7770b |
| SHA512 | 9fe324902e5c31e6db664b40074ffcc03cd1c13606e9e6c4e156e71cb89d1e234477454df3debbccfe5b9e2c88b52e6e8f7746832a6f2f4d4ad6a9eb0d75000b |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
| MD5 | 4e903722f062f52bcbbaea07fcb804c6 |
| SHA1 | c81aff391e1910e733a14e2933a440581933064e |
| SHA256 | f09a3cecfeeae14f9165245c4ce951eb4eaaf4a7d061d8f6af7e8a561ad6edfa |
| SHA512 | 2d9f9472e18221c2e9fbe7a6dddface65db74a07ef0819096ed905fcb0e652c760b840172099519519c84184442410dc71e9a872fb170fb805ee47ca3cb72bff |
memory/2524-507-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2088-509-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/2088-511-0x0000000000220000-0x000000000024B000-memory.dmp
memory/1048-515-0x0000000000400000-0x000000000063F000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe
| MD5 | 7c843f9498585e492c94721ad7113b63 |
| SHA1 | 03dd3da5b0fae5c0a037cb242d9f0c0e8c989354 |
| SHA256 | a25674069b6df920ad68ce548f7678c8e4620717ee97a93554fb3d4e8293d307 |
| SHA512 | 70546c2ff3b17046beffda3e4b64e78b1efeed6dceb80c79d91354bad9dacc4b978a59c541878b3f4e656e6d804dcf2c1af6b36a1bec265471f2f9f0dd83e3c0 |
memory/2704-522-0x0000000001F10000-0x0000000001F2C000-memory.dmp
memory/2704-523-0x00000000020E0000-0x00000000020FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{302A1F91-98A9-11EE-889F-76871049679A}.dat
| MD5 | 0b80c39588c270778ae820d387a4a2da |
| SHA1 | 8feea219a5e7ce3ac418bf209051e67100d3c675 |
| SHA256 | 5c36a2a00a640e20cee026dce6bfc47856f78225c745a334296a278407e40bde |
| SHA512 | e5de5459033ca09bf882b789400fecbaba6e50e9552fa4cd3b8b4a798cdb33fa88737791ac2ea51f9de051297e178728bf689aef2ddc79029573fc422bbaab2d |
C:\Users\Admin\AppData\Local\0623d072-a8cc-42bc-8b8b-3ec603303535\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30209A11-98A9-11EE-889F-76871049679A}.dat
| MD5 | ad796316f71721b57c44264ca032833d |
| SHA1 | f22f8b1f0af4fe136bfc7f7cf43048b9e2d2c4b7 |
| SHA256 | 2cc8860001d32e4b35f33445c89fce5191550e8b75580e5bafec1ae6fd7a5438 |
| SHA512 | 3455002a44943f8e286d1d0d19e257067ea5f53a3cb4881198dce7524e00392e3568c387be177b77712648a7a17e4ab5182f216e2dbe09ce995f68a0a17fa97e |
memory/2524-552-0x00000000775A0000-0x00000000776B0000-memory.dmp
memory/2524-553-0x00000000762D0000-0x0000000076317000-memory.dmp
memory/2524-618-0x00000000762D0000-0x0000000076317000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c35b1725cca1ede8e1d09a901ee5c06e |
| SHA1 | 4aff5740dabefff7d50a18ac506ba71cbeddd1d9 |
| SHA256 | 0d57e60342140b43efde1b20864e37d91248843717e6185be45a643051155e87 |
| SHA512 | 6e0ec8011f0c05b40be25b1739563f63b0536dafec7c1195de3a66284271de221d160eee78e94eb9343189bb20a9e3d834d0b3e391cb6e52a014b91c5d540174 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe
| MD5 | 3f8fbca34f369412254dba6a5e568d06 |
| SHA1 | 012a3b43dd88dd4240c838f66d24167ad495e2e8 |
| SHA256 | a6e75460353f930fe37074adaa5e317940b28cdf40a87493101c3149cbbe2bc2 |
| SHA512 | 2a82371f69fbc3ad7e0ec6ad43dc47564ef42c0fc22da83bcd4127eb6bc5fe83c2f8d43df2ff6587da6ab66e1d858060fda8dd4b800d4fdafe70425b59bf5f6f |
memory/2344-703-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/2160-711-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JI3QM6GJ.txt
| MD5 | 6e0cf6f65a10d398c24fb38fac560884 |
| SHA1 | 2cc08f6ef146102d87b996142e604c6a785b1ddf |
| SHA256 | 9605ad06e8e7c3a5660bf4fa051d6b5b7f65c3afef041cda027a0751f476a691 |
| SHA512 | a7602ef4811000fca1c6e1e675c22e4df185e6e5a2531ef043ac9c1375af93e85f9ed1d1ceb6f02712da6dd89d79898c86c63bf28f40cae6670213364246a088 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7T67LI6X\5C0PJIRP.htm
| MD5 | 6513f088e84154055863fecbe5c13a4a |
| SHA1 | c29d3f894a92ff49525c0b0fff048d4e2a4d98ee |
| SHA256 | eb5ecfe20a6db8b760e473f56ad0f833d4eee9584b2b04a23783cab2d5388c06 |
| SHA512 | 0418720c2eda420a2298cd45eef4681f28a588678254664903796a33713d71d878138ea572c5f556da6e04e82210111336be21802589ff0a31f3d401c13bc11d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | d4f87b4f63d3d01a694e27878293a491 |
| SHA1 | ef77dd7ba29719cf27d305c1cc96ec8a53c8438e |
| SHA256 | c77086a538c66e111854cc65dc69416e7429277cb674d34e580b04d192e8a103 |
| SHA512 | 4d40d24eec3dd781209e4cf653a7a68a8eff073c120a76c973fb2090ca0ffde18cb4acb49fe52e04c9bbf308ef86e6f5e291b6500192e3de3be52ec7cad99031 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe
| MD5 | 52a1294e34745699cd8e244d9d30a072 |
| SHA1 | 7ebc9b3daf46ede78ec773dabb5a81f69d70137b |
| SHA256 | 86594e51b749aeb216ff7339526a47e8307d160dffef3d068fc1378f9244d775 |
| SHA512 | 75cc591009083704ec56bb8874a2c54506cf8933da84e0dd6af0180f12f121a34260f5b168bc29c48d84ec28d80d2ae49c81eef792ff287ab964316823a0ade7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 677db92250c70594dada6655dc806a3e |
| SHA1 | 9f4bc2d5fa910589acd1b2b22c2da90617f44dee |
| SHA256 | 0e8eda735031e8865498c489efb4417769d20dc5115f75bf906cb18095da44d1 |
| SHA512 | 14a6bda75acc3aeba732e967e41f52d007ceaddac653de780bdea91466cc550e0ee13042127df8421f2b2676612538b728bbc380338fdd76c7c7126fe0e852e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | e1c2dc2aca7f24500c9656a5cde00f0f |
| SHA1 | 33ba729b62180e96b038f0abf858065e8d305496 |
| SHA256 | 8a7d974b6a021340e3b31c7aff9463c3f844a58c0fce66633bc2e05301990110 |
| SHA512 | fd79ca07c6520be8be1d4ac3870e583b8ba42881763fa96d7e06dabea40926d6ffc09013de824f742c522b346435f9c7a7c74273332226713da691426e353e8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0832355a0f61eb955b3b1ab635769989 |
| SHA1 | ed420410e29f409e5b4b3fbbb0f0e44ced9f17e1 |
| SHA256 | 623a9a4e4bf5ad20b9862ea932ab54cdedf63895258e28afd04e4b31e42286ba |
| SHA512 | 1b4942e03fdbdc45692650f75357468784330fac1a3f327679ac89996a88b95e4ff2fd0bdabd238ae46c5282fd7476fdd8a1c372b0b1dfb1156efbca68033148 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d55f45099294e49855d32e0710bcb14a |
| SHA1 | 18f7b45bbbd3521c0f49f7449dfd4dbc07b8c3ac |
| SHA256 | 39f030753a5f0b6cd31615dee4fc620e5bfe065df26be30272e3f05b6907ed87 |
| SHA512 | 40f01060d2a0bb4be7b823429d8b2a46f12ae1e83f04719bbf69f303dd55ab12ad2b753c2bf04ff8603b5b181949350476b7523743f418c0917f9064b29d185a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 06b2deb16b7305d743c9d82532332f4b |
| SHA1 | 84cd229a019a558f2468c51fe02c9a671105a86f |
| SHA256 | 4f84812c02a528fccc46a6eafb2b7c48d584ca4282fc43eb4fb5cfdd90da8bd1 |
| SHA512 | 7985d1629c750fb311d36bd1c4e3a1f8b1055dcf166ce69cc1195e4dc5512225764b57572c8f246c94390fd222ad1834cbdb30dcf708c5263174f744cd9c391a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24689ad452fd7ab73fc1e0525393f8c7 |
| SHA1 | 350d0342d84af2ecfa90de21812efb294bfa82a9 |
| SHA256 | 22d493bd973f4e2d653582a4b5027c296bcd2942279126da56c8de5de9829c5a |
| SHA512 | 7d861f45f2e325c77a0149daae4d5620e08e8a600d25c9ce60a384a842f1f439167e8cc9d1e07a10a913a1875fcb8e0d1f84d2aa4b3bcd9a7acb6f648c54fe8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | e522d48069a8eaca5c1fdf930f470e50 |
| SHA1 | 66a8f0f055f025093d1813eda423348042d44785 |
| SHA256 | 5ef2f6164aebe80e8b2c1d042118ed920358992fc422137b6a302c2c59afaaa0 |
| SHA512 | 569418d161a91b83e010cbaf716321a77a0e55d7f31743f0e6e9fea5caac16c5ecbacfab7d479d52caecc9f84c892a86246bfb45fc76fe143b7297e3295e0ff8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 27c7be9746c904ec0a4d238e6ffbc36a |
| SHA1 | ce8b9fbb09791e940b5e6b9f191d9eb32da729b5 |
| SHA256 | de83a7f002fbc605f382f32bdbbcdeefbfa6627b60ba2e36529fcf00166fe5b8 |
| SHA512 | c91c60f5e4c154980a29c7a02454f4057a075cc3a7b4cd3b6aa3763bd92facb3a630e055f1b0c1b420289b09de09382b6ade650ae286d3978adcddf5e92070d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rpg4tgz\imagestore.dat
| MD5 | 8b054f5a120c834d5d7d1ea68ae552c7 |
| SHA1 | 77c44ba231b444901a8a84ea2add258d225903a9 |
| SHA256 | 396c745c2b131d932c2052ecf42cc273f7375c1faafd9cef18c97afaabe5f365 |
| SHA512 | a0a2d8758d83ed6326efab4a9df41ee1074cc0f8991a2129f25540f098bd3fbc62e9eb795658f9a1e794e0225d0c671de41db987f12ecb286960d6ccf5de32e8 |
C:\Users\Admin\AppData\Local\Temp\grandUIACYUiUaH8SK8CY\information.txt
| MD5 | 61411ef537a9b2f7142af08ff59a2caa |
| SHA1 | 67185c0be36f1d61d68522fddc6509c1d71aaa14 |
| SHA256 | aa83974073885f8f2d32bb5b641715f6873caa8ed768838bd22132f4ab6cc33b |
| SHA512 | 323afbae488a581928be726cd48cc5cc970cdb80cc81b36f3c09b69fff17209446b6dd06510c7c757786d3fd3442cbc04b7b6c758e2f62ce4a8105ccb9fc067a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\pp_favicon_x[1].ico
| MD5 | e1528b5176081f0ed963ec8397bc8fd3 |
| SHA1 | ff60afd001e924511e9b6f12c57b6bf26821fc1e |
| SHA256 | 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667 |
| SHA512 | acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7T67LI6X\favicon[1].ico
| MD5 | 231913fdebabcbe65f4b0052372bde56 |
| SHA1 | 553909d080e4f210b64dc73292f3a111d5a0781f |
| SHA256 | 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad |
| SHA512 | 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2334ca217c6d8a494217ecb0ce029ebd |
| SHA1 | 212db7904c74b6c12f48cb295dfa5d50388e8f94 |
| SHA256 | 65810a380519e3c811ed7d3ea1b8ccadd329ceea2906602cc26d8f2d590b2dcf |
| SHA512 | 6c159e4ab05be35dc81cf0a9af6b7d555b4e43e4cf070cc05ef63a16d0bd54a4ce1756cf0ba3e591b799c707cb035ade746998f739b61c19220c2db174e539ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ec3e98147625a0d1ab3c177d6aa74f5 |
| SHA1 | 4d9c08721f83075b1f4674888041cd0fe856243a |
| SHA256 | 53dbd9aca396c6cb0ef86d60ce50e9219b7618bfaf62dddba2db9f5bd2b63c14 |
| SHA512 | 0c124c4897621d8841e043fc681032d4766c9f2de1480e4d129630c425703f07d1038f7241a0fae31308484343911f1902d5096b1b9d77715976789101566214 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 000161d82f7668ebd5449bd95d8c121f |
| SHA1 | e262045d5068e7594d2cebc166f4133cd3f8c1f0 |
| SHA256 | 349807873326bcf03b45189d87cb9b530938b15c29e0aa3ecc646c7962f0d661 |
| SHA512 | bfad9dfc8c0952abfa3fd3bc5da08d314be8393ba77a56013b319850ddc38e09f238677231062a32d9b39ffac5356e7d6f9081aca43d2b09d99806740e663f71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4649e3cd24061f37db18aaee988325e3 |
| SHA1 | af82744f5d3848dafd3f2c4cb661c4236425e29d |
| SHA256 | e3261e458e485fe1e9a86a192f26d7a04ff0de7cab246613d7c0ff4388cc9ea1 |
| SHA512 | 5ab441b7e0567353f7ba99770aca113a018974112835bf5c881d2cca5ebe3c06eff773c320133a3ebe4c1d88457167cc1f22de19f7265b77b6ac3a4f7b3b24a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1f61b75e3960513199b5555c1a5da1e |
| SHA1 | 989ab8a81f7409aa795c8b7d1258f3c4eb2d38e9 |
| SHA256 | f333e2751ad99f955e3180c43f8882cd458a9396ae89c0155c06728b314b7461 |
| SHA512 | 84e687fab062e57a7ea42f14d7ee8ea4b9d8799b7fba525274925b58b7d972cccbc36a921043716c21df521af783de76323a268e1299550efa20cfb3394aa25c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65cd713215bcedf937d536cd5da64061 |
| SHA1 | b4b3488abd014b9508edcef619eda82d454a94bb |
| SHA256 | 9b122d6f646d485226559b329cd59e9e25531abc82912b58ec79ebee2e741e22 |
| SHA512 | 49006e22913ab598d6f1cadf7ef3d39e4d4aea0ae276eab7e59e9c5106586caab23bbb7025da92ad64b06137fe7c4dfc56adf3a3006d94d2bc29e1d7910fb1dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 46f731d72710735d38ef6aed49852870 |
| SHA1 | a3b344e34bd307a1a4ae38b4c5b7c2f67f609e7a |
| SHA256 | 3af01d922c2ef1300e778d80c4a802e844dab7fde67660716d76de814810361b |
| SHA512 | 46fda3ff342499ed9b8433ea08d30dc77a57afd912465e1a4c93f81d3ac691369108310aecdbdd81f421254ec0dd8559d030a7e35c0c98b9419c2f0429b6d8bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\shared_global[2].css
| MD5 | 0a8d08e60a949a4347ca9f22439dad06 |
| SHA1 | 2b1ed5afa2c62232b1d597b3203d09c4f6b073c7 |
| SHA256 | b703b0050b0a708f1636619b6317fb82422c1eceea1c97ac09538d23bf499420 |
| SHA512 | 27037b119e90da25235a934368c54a6e706b653c17b8564828f09394d440f7b569adb7faefed62c12e4185cdd11689d9700f1f1d9b5e0bb947af82f36f529386 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7T67LI6X\buttons[1].css
| MD5 | 84524a43a1d5ec8293a89bb6999e2f70 |
| SHA1 | ea924893c61b252ce6cdb36cdefae34475d4078c |
| SHA256 | 8163d25cb71da281079b36fcde6d9f6846ff1e9d70112bbe328cae5ffb05f2bc |
| SHA512 | 2bf17794d327b4a9bdbae446dd086354b6b98ac044a8ee0b85bd72c3ab22d93b43f3542df03d64f997d1df6fc6cac5c5e258c4ec82b998f3a40b50c2fde99b5a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGMI6V4A\shared_responsive[1].css
| MD5 | 086f049ba7be3b3ab7551f792e4cbce1 |
| SHA1 | 292c885b0515d7f2f96615284a7c1a4b8a48294a |
| SHA256 | b38fc1074ef68863c2841111b9e20d98ea0305c1e39308dc7ad3a6f3fd39117a |
| SHA512 | 645f23b5598d0c38286c2a68268cb0bc60db9f6de7620297f94ba14afe218d18359d124ebb1518d31cd8960baed7870af8fd6960902b1c9496d945247fbb2d78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c2765c7a6930205ee1f18c32fa337e8 |
| SHA1 | a612f561d3da969f0ca4bc0b978e3d6166845e0b |
| SHA256 | e1da0961838fb59381d57fbb0ab3bad358932e09bd6909bb734cab1a755c0b60 |
| SHA512 | fd910bac87452a52789dfc02abb1085801ab2c627d9afa364159a108f72a2a3bab2ae17baa37ba42d2c08837a68419952f1cbb3ca23f064b6e6e2dcbcdee04c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGMI6V4A\shared_global[2].js
| MD5 | f94199f679db999550a5771140bfad4b |
| SHA1 | 10e3647f07ef0b90e64e1863dd8e45976ba160c0 |
| SHA256 | 26c013d87a0650ece1f28cdc42d7995ad1a57e5681e30c4fd1c3010d995b7548 |
| SHA512 | 66aef2dda0d8b76b68fd4a90c0c8332d98fe6d23590954a20317b0129a39feb9cd3bd44e0c57e6b309227d912c6c07b399302a5e680615e05269769b7e750036 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGMI6V4A\tooltip[2].js
| MD5 | 72938851e7c2ef7b63299eba0c6752cb |
| SHA1 | b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e |
| SHA256 | e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661 |
| SHA512 | 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGMI6V4A\shared_responsive_adapter[2].js
| MD5 | a52bc800ab6e9df5a05a5153eea29ffb |
| SHA1 | 8661643fcbc7498dd7317d100ec62d1c1c6886ff |
| SHA256 | 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e |
| SHA512 | 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec9ba844e382ac22aa3da95fd18c5388 |
| SHA1 | 0b4fd8b2609eb3d78a6fb0a111010f1d13c8b36c |
| SHA256 | 862cab8ac7d456da94d8761f6982cc57d7187d791b6322fa542f9b02565b858e |
| SHA512 | 60499f8cb32cafeb867c33c9d8bcd1facb6a67929afc4973b063eebe43c9311d4e5649cf7e99c31de2d280f0b2e5af0e98db3110e98c874a1650c4fea7ef910f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | 9aaed24302632e5c4dc82b2c88017523 |
| SHA1 | 82b2f2de0c8cd814d797675a0a49377e005d16f1 |
| SHA256 | f280cec453f3aa5e17b9ec37bec03adbcea41f1ab43d87a7ec402f9bb3850060 |
| SHA512 | 95eba331fe8f4de2ee0306e59c5838a728ed3001d80f61293b42a9a87fbaa2a698840fa33ce9d3b912a0aa66bcbedfb4970d70207c19e694d9eec18d4bdade71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01d91dc470950239b0a2d64a3ca0307d |
| SHA1 | 5397864b606f2ad00b8719d8d3184c1cc5741b38 |
| SHA256 | c2ea186b14d08b344e71da9e3b6883c505f4c8493e357a1149cb4caf71bd39b5 |
| SHA512 | 2efcfdcf1edaf51da6ca1ebf6df5e7cbaa5b3b686aa790adaf39523894c6cc5cb7beab8d05b82e70f64f2d4e2b4021592866771ef2fd27c8d3d26d29a82c33c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\favicon[2].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4865d319833c9711b55c8fca8faf16c5 |
| SHA1 | 04c8a72bf4122d60cc84cfe3d46e9af0aaa788ae |
| SHA256 | 39a6d67d28988fd73b5c3c9797fd77bd2577b6fd2bdce4d25b2b4181b2b78c01 |
| SHA512 | 8a9b82bcdb790317109c8de74dfd690e4a68d293026208501b29e57616e59c2d0934c41bdb2dc003a086df30e79745f6e7162befbcf2e74fff47995b59ac9eec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 650278ea144e93c552a6d0be7e2bb08d |
| SHA1 | f6efa8d09b28e256acac83af6d8d93c0509efbd5 |
| SHA256 | ecd574fdeaa3c66715629e0f67f48771b03aa1065a46468732250e1ef13a69b3 |
| SHA512 | 470dd8052f2728a6dde99d521681b4b79d3be1800a1df3b5f7dd2a6072379cdac2695c900b6d7b3c861a12bd4ef87549d1524fb4464c15bc7c93e99bd9c774b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\hLRJ1GG_y0J[1].ico
| MD5 | 8cddca427dae9b925e73432f8733e05a |
| SHA1 | 1999a6f624a25cfd938eef6492d34fdc4f55dedc |
| SHA256 | 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62 |
| SHA512 | 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\epic-favicon-96x96[1].png
| MD5 | c94a0e93b5daa0eec052b89000774086 |
| SHA1 | cb4acc8cfedd95353aa8defde0a82b100ab27f72 |
| SHA256 | 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775 |
| SHA512 | f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb909b0af036d5260ccac122ea0fa903 |
| SHA1 | dfd622c68f3febe882799673106864bb78dab08a |
| SHA256 | 18616a6e0becc9e1413ef21fdb92fe17b8fcb49a3c5acc16d0306e37850df3f3 |
| SHA512 | ffdbeead744cf6e790e8f3a30dab77d2d4d657d9db8d4d7f891ca278fbc42ec2da2ed53bce0f54cd837dece4ece768145fe9373a173955d9e3b681a8e8553e7e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 417b171321e88791e74566d94fb32dc6 |
| SHA1 | 9a001e7dd531e978e718b6d81ec4e022f0f99cdf |
| SHA256 | af7d38e57cc19f3ac91e0e0c1322272f95c2082363ef0ebf1a777207cae36b39 |
| SHA512 | 010962f09eefda22a2f995b754bd7cacc4a593c3f7468ee7d5f9f39facc813fb3146fdd29d07061061608dc88c821e16a76eb9948796853c5d0508567f16bc07 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7df1279cd26ac0223f43a6d863a79d70 |
| SHA1 | 730e3ec59b5150a0a5e4c3ec3c376b84489d8e28 |
| SHA256 | 2622accd68d7798a5ee36f708b0840f7ff488b9ba90a39b278f3af083da2fef9 |
| SHA512 | e1dee904762dbf213604ccbbe61a453058f560a23187c5464b291113de66c5cb61cdf3300ae015b0a38b8af5aa08ca3ac2cbace9b5581771f1abc1502301f1ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c576f7a0593a3e1d9258aab91ecfa91e |
| SHA1 | 4a36deaee3e34c440b91017ad5a3b091c22bbbe7 |
| SHA256 | 92f854a6a41c9410b467b6f96e84aae332641f905bf6e96ee75491fdafdf8efe |
| SHA512 | cc1dae76b7b8d5e48b90b4bc032607d90d3c927d7085522021244336c1e88d1cc7869cdfac359d175231a91d0889bb6befa2ae1569142dd2c8b766b85896ea9b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88467d304d484565a94ccf359de0fbfa |
| SHA1 | f34d2bf267ad8913a04af8c909132ace529771ff |
| SHA256 | 9a3fd5779eda9896c84e4b47cc8ba765ecd7e379b37912be0864de5f09b58763 |
| SHA512 | 7539ac69c8ea4a7aa911215005443157c1e15fc80cff5be158e77cb2cccbb59fc96d3d1c18340031f1edb3c8ae814bd01f3cb90cd63d9fe6996ee99d29302228 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b913dfb6589387c43f75221c4ab8359 |
| SHA1 | 5b74e7bf2a7df0111da4fbd2db70b4ef0222ea40 |
| SHA256 | 5dc2448bbfba212546dab35a0ddb77873410d9748459f71ae46109cba60d5215 |
| SHA512 | a3cc0c63a7e5c0c97845df81a9c8fbc7956d62e77c34751ad572b32bf4921e8bd305587989772dd4b9267958505fd29ea70babdd6224169f11d7f89e7bb820c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c691f1061c4dabb5b8aeb938da3722d3 |
| SHA1 | 51c2fbbcc66522677f4808c1a9efbf319b73785d |
| SHA256 | 360d8417c4015ad5ae5a2a320f8313a049842a62049c46edc881870bb1348325 |
| SHA512 | a0ac8ca3e05659388f9fa3b1b37ce0b8e4cc1065ff0437276a24a8b0c8bddd9b2946d63c05414f9b93107d95f86352b857908af7c577139b4cd665d003a55d40 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5a257c010fc62eed6d52f2a88853539 |
| SHA1 | 8c87d5aa57db3e7c8c6d1d7c6e066e5f66303111 |
| SHA256 | 7a509b1f77198db10cc9abc46e43b5fff2356519128252c40743739cdeae3b5d |
| SHA512 | 1ded583215a20f60f2dcfbc3f7de90ecc75e95c04b72a39b98acefac520d97a84406e003f38dd9c77fd58daa902c2c11b6eac492d60e640bf7d92a5a7793dc12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7238f907e1276030634d56f13373d31b |
| SHA1 | 931f845495fe0f7d0e74d4074abae554545edc1f |
| SHA256 | 465882ae5ad79ea783c3566739ef7709e736d154013a01b464492c7a4ba85d90 |
| SHA512 | a13a7af9de0fa4c12300c2df8867497d48ad2c231d22c9033d80e6a13968db71d31d60fff4e94a069419f81e3ea076901917668d01e9e9fdc2e44442311bc950 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66de68f8da81a530d80d346718667d51 |
| SHA1 | edd9743dae4078dde2e649582926f8a0acf7ffdb |
| SHA256 | 722dba50a30e790d3f012a5173b7a386c15a7a4b95d805cd7fa20806ceba911b |
| SHA512 | 0b92a7b2ce938cff372b345b38168e128d8ea4bc30e47f00d8168fa4a16ff8a800aafcc2c7d577bf64c1d6601fc3076f59641bac5d0e167a1568cac14a4ec7c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd960e5929ac5fbe8a0f0749732c67bb |
| SHA1 | aeacf63f77d1d36551c8253230d3540bdf923787 |
| SHA256 | dd1388fc348783876d4c1be595a544cc557770df1c35a83bf755da4949722110 |
| SHA512 | 5aef62ab1029ca93f92b6308ac5a7bc5bf387c8b03a7c26048587961bc6b9281f8f60655194c1911bc203e0e9dea898f3e47dc887e3b0b232187db1d630c2eaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f14f35d9e3e971f1f40265e4a99c9f4 |
| SHA1 | 1bed1745fe52d4e02a7d0dcf75befdada0319392 |
| SHA256 | 3a2849b1af2b976eff30123edf14fa6b7fc866d4f2b68df646234f96c06a12ec |
| SHA512 | f64d1a9796097dddc0087d918d86689713dbe957d3678f4b1ab98648b3115db7e1645004822c1307756aa43d1c0dea9a95ec9baa439e541cef10dd4c4cfdce15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09e178c11890f05ecd901aa88d10399e |
| SHA1 | 654477058fd5dad4b4c461f1b9a4a1ad317f64f0 |
| SHA256 | a09aab8897b5371bc7f29b62cf7af325f77dd537aebec95c36b67a66d972351f |
| SHA512 | 5bcf31709c113f3a6ce2c4b1d363383529804687f6dabc4e1ab32719f9c86fa409816c9ef87aaf1a4a93ef13fbe3fd80fda4dfd1c853f7cf8f785adc20df160f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 04:43
Reported
2023-12-12 04:46
Platform
win10v2004-20231127-en
Max time kernel
111s
Max time network
156s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
PrivateLoader
RisePro
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4D90.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\566B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6466.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6F54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\48e7e499-10e9-4c11-aab2-00308b19ae3a\\4D90.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4D90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6F54.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3484 set thread context of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe |
| PID 3416 set thread context of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\4D90.exe | C:\Users\Admin\AppData\Local\Temp\4D90.exe |
| PID 696 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\4D90.exe | C:\Users\Admin\AppData\Local\Temp\4D90.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4D90.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6466.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6466.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4003.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\566B.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
"C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"
C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
"C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\343A.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\4003.exe
C:\Users\Admin\AppData\Local\Temp\4003.exe
C:\Users\Admin\AppData\Local\Temp\4D90.exe
C:\Users\Admin\AppData\Local\Temp\4D90.exe
C:\Users\Admin\AppData\Local\Temp\4D90.exe
C:\Users\Admin\AppData\Local\Temp\4D90.exe
C:\Users\Admin\AppData\Local\Temp\566B.exe
C:\Users\Admin\AppData\Local\Temp\566B.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\48e7e499-10e9-4c11-aab2-00308b19ae3a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6466.exe
C:\Users\Admin\AppData\Local\Temp\6466.exe
C:\Users\Admin\AppData\Local\Temp\6F54.exe
C:\Users\Admin\AppData\Local\Temp\6F54.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe
C:\Users\Admin\AppData\Local\Temp\4D90.exe
"C:\Users\Admin\AppData\Local\Temp\4D90.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4D90.exe
"C:\Users\Admin\AppData\Local\Temp\4D90.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2892 -ip 2892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 568
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13906737394333911450,3341372604459557844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7580873702800239064,7082520195997237181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13906737394333911450,3341372604459557844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7580873702800239064,7082520195997237181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15930691946751608274,13153657859695741700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,15930691946751608274,13153657859695741700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x168,0x16c,0x144,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5142126469591650117,18177171949595903564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6444 -ip 6444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 624
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff990146f8,0x7fff99014708,0x7fff99014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\566B.exe
C:\Users\Admin\AppData\Local\Temp\566B.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1408 -ip 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 2212
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 104.21.42.224:443 | edarululoom.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.42.21.104.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| US | 8.8.8.8:53 | 238.8.196.185.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | genesiscarat.com | udp |
| RU | 92.118.112.94:443 | genesiscarat.com | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 94.112.118.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | alata.com.sa | udp |
| US | 192.185.30.176:80 | alata.com.sa | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 109.107.182.45:80 | 109.107.182.45 | tcp |
| US | 8.8.8.8:53 | 45.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.30.185.192.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 193.221.47.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| US | 92.123.241.50:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 3.230.179.48:443 | www.epicgames.com | tcp |
| US | 8.8.8.8:53 | 103.202.103.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.179.230.3.in-addr.arpa | udp |
| BE | 64.233.166.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 22.10.230.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | api.x.com | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 104.244.42.130:443 | api.twitter.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| US | 104.18.37.14:443 | api.x.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| GB | 199.232.56.158:443 | video.twimg.com | tcp |
| US | 192.229.233.50:443 | pbs.twimg.com | tcp |
| US | 104.244.42.133:443 | t.co | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 130.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.37.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.56.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.233.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 52.203.30.102:443 | tracking.epicgames.com | tcp |
| GB | 13.224.81.67:443 | static-assets-prod.unrealengine.com | tcp |
| GB | 13.224.81.67:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | 67.81.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.30.203.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.187.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 246.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 23.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| GB | 104.77.160.221:443 | community.akamai.steamstatic.com | tcp |
| GB | 104.77.160.221:443 | community.akamai.steamstatic.com | tcp |
| GB | 104.77.160.221:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 221.160.77.104.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | tcp | |
| RU | 213.21.220.222:8080 | tcp | |
| US | 8.8.8.8:53 | 222.220.21.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | tcp | |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/3484-1-0x0000000000BA0000-0x0000000000CA0000-memory.dmp
memory/3484-2-0x0000000000B00000-0x0000000000B09000-memory.dmp
memory/4960-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4960-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3432-5-0x00000000026C0000-0x00000000026D6000-memory.dmp
memory/4960-6-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\4003.exe
| MD5 | 9adb9cee1abeaf442c9de0ad6e1ffbc1 |
| SHA1 | d09c01e1330fbfd3ab2410bceddcaf74c1393998 |
| SHA256 | 554ccf8442669bd6301dfdab3e7333eb5996f295004585e3db6161a9b2bd00a8 |
| SHA512 | 546fb243b5952d693436aa3f1105fa050683f6854d5bc685da874f3d2b112b4b5f4dae48630eec51e5ea3a74e172b9d172d12c98ed71c3ba56fe18a83ac34fea |
memory/4552-21-0x0000000000160000-0x0000000000B1C000-memory.dmp
memory/4552-22-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-23-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-24-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-25-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-26-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-28-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-29-0x0000000077234000-0x0000000077236000-memory.dmp
memory/4552-27-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-32-0x0000000000160000-0x0000000000B1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4D90.exe
| MD5 | 454440503db62af8520be0827389df6a |
| SHA1 | 473f9a477bdb8a408e7fad05e858dbbaa76f1dda |
| SHA256 | b816a1f49cf7a431b9c23d32cb60eb6bae72d88b23b19a861e5f690488b00d57 |
| SHA512 | 6c7f3847a00033394f5b8adb1fadb177b6103ccd6a9205dd2dad45e550805a0cf8295df2353bbf62ce9e629c3218e6c44621f716ebef23931b34ba4102debc15 |
memory/4552-37-0x0000000008040000-0x00000000085E4000-memory.dmp
memory/4552-38-0x0000000007B30000-0x0000000007BC2000-memory.dmp
memory/3416-41-0x0000000002580000-0x000000000261B000-memory.dmp
memory/3824-40-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3416-44-0x0000000002620000-0x000000000273B000-memory.dmp
memory/3824-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3824-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3824-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\566B.exe
| MD5 | ab0443c4b5ae89cd913377183852ecb3 |
| SHA1 | 23cf5fb65377cfe0af63adede50c50fb24dc32ab |
| SHA256 | 8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237 |
| SHA512 | 149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b |
memory/2908-51-0x000001FCAD660000-0x000001FCAD79A000-memory.dmp
memory/2908-52-0x000001FCC7C20000-0x000001FCC7D50000-memory.dmp
memory/2908-53-0x00007FFF9B920000-0x00007FFF9C3E1000-memory.dmp
memory/2908-55-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/4552-54-0x0000000007AD0000-0x0000000007ADA000-memory.dmp
memory/2908-56-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-58-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-60-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-62-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-64-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-66-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-68-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-70-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-72-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-74-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-76-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-78-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-82-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-88-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-90-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-92-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-98-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/4552-101-0x0000000008C10000-0x0000000009228000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6466.exe
| MD5 | 7a721dbf14dd3eb263a9ae638f3b659f |
| SHA1 | 13452bd20b632687b51c9d0f9c1c4f80f0d14eea |
| SHA256 | 52c1c503ec181013e94aa9ec40f4dd18aa7f4f9b1205ac194d62e514fcb984de |
| SHA512 | b1a9cb5ed60c364edb6f900cad5cd07377d08fce7782111bd94bd540598f22ad0768c56d50575eea2a896384c68f1f6d28a8d870809340e7df27fd88658a942a |
memory/2908-103-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-105-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/4552-108-0x0000000007EE0000-0x0000000007FEA000-memory.dmp
memory/2908-107-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/4552-111-0x0000000007D50000-0x0000000007D62000-memory.dmp
memory/2908-110-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-113-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-115-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/2908-118-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/4552-119-0x0000000007DB0000-0x0000000007DEC000-memory.dmp
memory/2908-122-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/1408-125-0x00000000024D0000-0x000000000251F000-memory.dmp
memory/2908-126-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/1408-124-0x0000000000890000-0x0000000000990000-memory.dmp
memory/4552-128-0x0000000007DF0000-0x0000000007E3C000-memory.dmp
memory/2908-129-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp
memory/1408-131-0x0000000002740000-0x000000000278C000-memory.dmp
memory/1408-135-0x0000000000400000-0x0000000000875000-memory.dmp
memory/1408-136-0x0000000004E90000-0x0000000004EDA000-memory.dmp
memory/1408-138-0x0000000004F70000-0x0000000004F80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6F54.exe
| MD5 | 86b8cef1ba13b3c3b9ff2ded5c5835e9 |
| SHA1 | 0d25eae2e1b0f6c5ea29d6c593cef46ccabd0f83 |
| SHA256 | e30e8e2a4203da16fa50410f35d505acab3bda4f00afa0ed5683fdb0a6c35a12 |
| SHA512 | 9fdec0a033043cd157ff4724180dad130b57a03dd6b3f1bb07cd23eac287ac7db1654aa39bf8ab00f3731588f39f5e1d11073d30ffc3474f57c00e2a8ae6e47b |
C:\Users\Admin\AppData\Local\Temp\6F54.exe
| MD5 | d705e3aa388d03b7956742e5ea495167 |
| SHA1 | cfb6c5de8a7b2cf45e337989e5fd03e2def58ba7 |
| SHA256 | 06afd9c627a35789aff142aa9c3042b57d9de609f6b47ddf173e332bbcc314b2 |
| SHA512 | 926e2dc6252e178fd8ab707b9be9a9a6b7332b48a2c2176340edcc76da79917d412921d1c129785a740e7dc61466040052cb953990d1ca44afc1991988abf03f |
memory/1408-142-0x0000000004F70000-0x0000000004F80000-memory.dmp
memory/4552-150-0x0000000000160000-0x0000000000B1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
| MD5 | f9986eefb6d2213d8b7d8d27a221ad50 |
| SHA1 | dbe7a39d6997e011a6c4ac1c5c50af2f018fb7f8 |
| SHA256 | d1f83d7fb3af99040e0371677254483c8828f239ed1cd3d1923cc953a2cc2746 |
| SHA512 | a33240cf68409e4b2c08c7e77a6afa4d2a1ed8c068e8fdb07c181224b93c972feeba7ad8ade3c6fdf8df7e4f21b6e139cf649f00ca8443754a60a23656fbbcce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe
| MD5 | 5177f9d2842b74a2be7f5aba232faffd |
| SHA1 | 9b6c926c477183ff5682d2afe0cb62de976379c7 |
| SHA256 | 3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63 |
| SHA512 | 6fa2f49b55f799a8f82a8d520db344383f645c834291d731278a08e344309a9d7064ab6123e56d43a00fadbbd79694d85355b011a145aadc607137bc26befd15 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe
| MD5 | 328b9335d21864bb377c850b2db079fd |
| SHA1 | e0f2e906daf8bc05e446af14169e5195ecf093ec |
| SHA256 | 0e33056073214a6b9beb9971c64c541aa9b5227fb86a30cac1dfba493c905971 |
| SHA512 | c396b5b6d64f15503952eb74167a10bc23bf90b99a89a9260d206476546b861a8fe9ad502579ac1770f910d76b068d4b889e978eaba7f9b66ec1d2ff5fd3bfaa |
memory/1408-171-0x0000000004F70000-0x0000000004F80000-memory.dmp
memory/1408-162-0x0000000074720000-0x0000000074ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
| MD5 | f5f7ae3ee6e2f270dee0eec7f51cbfbc |
| SHA1 | dafd403a0077f366965155fcd2b9153be5a31097 |
| SHA256 | c247f153990e439d4b28f23cf98ce8c59a59f375a4aa3b15b8009c8cfee305aa |
| SHA512 | 60e16e78a537cc4157b4eec8323fadf97cbf4b78a7ed741c0c92a352d65d68c577c64059a13b4b1c58602989d22f076bb6591f4271c8124ed21eaf7cb704617d |
memory/3824-198-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe
| MD5 | 4e903722f062f52bcbbaea07fcb804c6 |
| SHA1 | c81aff391e1910e733a14e2933a440581933064e |
| SHA256 | f09a3cecfeeae14f9165245c4ce951eb4eaaf4a7d061d8f6af7e8a561ad6edfa |
| SHA512 | 2d9f9472e18221c2e9fbe7a6dddface65db74a07ef0819096ed905fcb0e652c760b840172099519519c84184442410dc71e9a872fb170fb805ee47ca3cb72bff |
memory/4552-221-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-224-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-227-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/696-230-0x0000000000B70000-0x0000000000C04000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5990c020b2d5158c9e2f12f42d296465 |
| SHA1 | dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4 |
| SHA256 | 2f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643 |
| SHA512 | 9efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 208a234643c411e1b919e904ee20115e |
| SHA1 | 400b6e6860953f981bfe4716c345b797ed5b2b5b |
| SHA256 | af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458 |
| SHA512 | 2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2 |
memory/4552-396-0x0000000008670000-0x00000000086D6000-memory.dmp
\??\pipe\LOCAL\crashpad_3760_FTWKEKVMAGOBDJNN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b870c83fb3effe89ef276112cac9d2ee |
| SHA1 | fdf6c334a6a3219be4814c19823f4179f9a46d72 |
| SHA256 | 820172e89bfe836d3e0b752bee70004dcc5720361ade524b170207c0cd0c9479 |
| SHA512 | 9b77097a2da6426a07627eb46a04cf96656870aaa8f63b2e086db83f6591c8361193221d44756483612d15a48d0bdc864ff086d5e1a6c6d4a68d27729f5c10fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | edd2f1e3a442f7c299be4373c3062976 |
| SHA1 | c58c00484221cca5fff15429593fd165ce756321 |
| SHA256 | af5ff775ab4a866ce552caa888a2bfa12192b3f4c86901e094cac4e11deda0d8 |
| SHA512 | df5222dd67165f87c9f63472ef3d298401377c2f84d1fd3dd1186cd8ea49194c545e637d2800cfd2d25e9778ce9c67cd47ffde96dd5394dd181c7a39be623cda |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6a7413064b301c13e2d3a57387876867 |
| SHA1 | f2e762ad3d4745d66bff1302e9607d8c7b88bec8 |
| SHA256 | d85b43ff17c3aa60b36f0fcad21dc4b5da36ff298d26266cda46f344b2bd1440 |
| SHA512 | 9a078e395d2b0e64137548c38e4613c8401eb3847d06414b315f5a870630d9617fd2b43967df22dcc0c6fba8f96c36b3842c4cc24081b1aad4316bfd353dca0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1a95825131ccc2679ebcdaa8a4790e6c |
| SHA1 | 5383f7316517fcc7a6db207224898fd7b5cfb717 |
| SHA256 | 35e242afc4a7e389bff0effe08c602ae334ec62281c969a5a996856c485993f9 |
| SHA512 | 9f47ebe816d75038607223e4a1be344f8c622c735e7d6229aa3e54437a6ec0458272f8bc2f889d56ebaab243e4b2fe84a6ed3f110ed81ddf1c539ddc6087a81d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d789060e1156823c973bfec9be3e9ee3 |
| SHA1 | 332e08aa8904421ef5e3a1bc337af43b615b33bb |
| SHA256 | 25619e037443169beec9c14942a522f7d8d5ecc07b2d1e074be27448f772bec2 |
| SHA512 | e078aa89e0203aea0fcfa1b6fa188f832ee02897d1b95b1975cbe82233706babd8258fe1ecdabc642def2240314678f0ec8c5df89ac9d6e4862805c1830e072b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 3e61f1b5c83d57794fb57876a8ce4886 |
| SHA1 | d69fb46fde92526ba21a2ee39d9b98445310a71f |
| SHA256 | 44c1f59f48fca1dbbcb999232154f060a74d760bdb510accace016de59ed4233 |
| SHA512 | 1bc86558d62a6730c2ab9b2382d68b5b35feef499b489c595ffc9fc4b776d63c0f23afcaef91b008bee22145d92067c7344d2f45ecc8d78d5bbe64ac1b2a1cdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d454e7a527eb704a79a8b442cc5d2b65 |
| SHA1 | 1677bb3771ce4d0e5a4c7d949ce70efcd4ca8483 |
| SHA256 | 20b8b32c126efa2a5b52b64e5acb614e3f5ea688ef39b0897e0d50135d6a860c |
| SHA512 | 29231e9a37e1494dec806306a2c7f4eff9f5d9e05a6e374ba1119ae83ab33ad0132a57ee61e5865a5263bb6f2d51d9181317b180ef9e7ed74aecca93c5381224 |
memory/4552-704-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/4552-701-0x0000000075F80000-0x0000000076070000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe
| MD5 | 7c843f9498585e492c94721ad7113b63 |
| SHA1 | 03dd3da5b0fae5c0a037cb242d9f0c0e8c989354 |
| SHA256 | a25674069b6df920ad68ce548f7678c8e4620717ee97a93554fb3d4e8293d307 |
| SHA512 | 70546c2ff3b17046beffda3e4b64e78b1efeed6dceb80c79d91354bad9dacc4b978a59c541878b3f4e656e6d804dcf2c1af6b36a1bec265471f2f9f0dd83e3c0 |
memory/6472-717-0x00000000020C0000-0x00000000020DC000-memory.dmp
memory/4552-720-0x0000000075F80000-0x0000000076070000-memory.dmp
memory/6472-727-0x0000000004F60000-0x0000000004F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b6bc0f050ab48b7639e2a3a948892951 |
| SHA1 | 866b4b93ba256612bb08071524b55d78ac82ebc7 |
| SHA256 | 4d83d9ab56e44b27dce671d8c868394b0c930e7cfe82b664450228f858002f2f |
| SHA512 | e32d60b19164b05650d223e651fab66604a12bcc17ec8b29ee7cdc167bf6ef6c9b7fa8599d60f3e59a76cedcdd66e85be115c5037ec30e185abcc0e53b039fc8 |
memory/6472-739-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/6472-748-0x00000000020B0000-0x00000000020C0000-memory.dmp
memory/6472-753-0x00000000020B0000-0x00000000020C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9c67369e823111c517448f014491f3a3 |
| SHA1 | 2924812d4f27e470d7b0cc666a5bf9f1b6a194dc |
| SHA256 | 577bcf6b9eafc57f29aab9a62f485c9a216e625924585f7f1a78faef68ae2564 |
| SHA512 | 951333486475d1e37d9eb784c414d56069161112fb5c59ca07ee8860ad487d72d59f6e99ba2b0c2037c787b4f7066d225d22939c4be096aab12dd9a9ebd4ba30 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 5a6206a3489650bf4a9c3ce44a428126 |
| SHA1 | 3137a909ef8b098687ec536c57caa1bacc77224b |
| SHA256 | 0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28 |
| SHA512 | 980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78 |
memory/4552-883-0x000000000A1C0000-0x000000000A210000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cb6ed296-a008-4b82-8511-bf5f493e3fd4.tmp
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/6472-1107-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/2908-1128-0x00007FFF9B920000-0x00007FFF9C3E1000-memory.dmp
memory/3524-1131-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f3ee5fd04c876b4334362f9568109362 |
| SHA1 | dbd1a5b57fa50b711093c176a154ceca66dba149 |
| SHA256 | d66f4d5e9bece36af155bc9350d6f4445c9b3f7a8fcd41b9e905f74fdcba49b9 |
| SHA512 | 687be862a45212a964e59b3dcad9f3c7bb60e48470c50f818e5f7c0c100a577e450ff60c3f89fed2522d2d42dc3983f938caa8ed6cf5fcec5b17cfa206ba7595 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 15edc8f72593e5a6b883e6fc14bc7921 |
| SHA1 | 3839a9190d64a7300beb1bd82eba3c783f354012 |
| SHA256 | 29dbd6ed72ad3e114d4a28e7de6d92f61b3c2199f89ff761c361d20a2199e4b5 |
| SHA512 | 083e0eb4bde840ffcfa91b4722ec8bf3a6d80b1121badb888d2a8c76a717966af45f1a0764c7ca35ad4cdbfd108961c74d6d59631d3ab51cdedf60ae2dd51626 |
memory/3524-1297-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4552-1365-0x000000000A3E0000-0x000000000A5A2000-memory.dmp
memory/4552-1375-0x000000000AAE0000-0x000000000B00C000-memory.dmp
memory/6444-1402-0x0000000002630000-0x0000000002704000-memory.dmp
memory/6444-1407-0x0000000002710000-0x00000000028A5000-memory.dmp
memory/6444-1413-0x0000000000400000-0x000000000090C000-memory.dmp
memory/1408-1419-0x0000000000890000-0x0000000000990000-memory.dmp
memory/1408-1422-0x00000000024D0000-0x000000000251F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | aacda2f314717240bf04eb9b04be308e |
| SHA1 | 58d10ebfdd3463ec710a28062355641f127eb271 |
| SHA256 | d6964cd24575404084e4b9655e690e0cd7d62adeeb2730988d000c2759079a59 |
| SHA512 | 2db09bbc5c5ec07c53b07e0f0d72cbdcf3536563683b46f42c457ecf67167490dbed430c674ce5eeac9eb015c05c2a582e894605698f6873ab370428303bb904 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b2ed2cbd56898852d4673f1e73236533 |
| SHA1 | 51cdeefa9ec4a9ac79ca6f44d77e71aeb59098ce |
| SHA256 | 164efa6e2e8e8ec834d755650faf45c45381a8b9581104c5c2078e9183245cb2 |
| SHA512 | 4a4dac4e8e477e7339df52a110938ccc4d86ae26045cedeed1d5bc5d3ca78548b68ae345336e9b311706bbf939d87b9c1f46672380f0c132ddce73cfe4264489 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592bc9.TMP
| MD5 | ff2b32d838645a4e3cb68037ae0d51f6 |
| SHA1 | cdc3779bf85a0dfbd4ba3a50d97596ec84aefb77 |
| SHA256 | cf0953f21a1e90920bb92c2bc154ab84583ce2ba15f1622952a9b8a76c980727 |
| SHA512 | 71905240aace326676c623c318ebc69dc3c63e7a59c31978bdbef55efb65fe2412ef5b2d64ba1729b54b515fda8a1fe3c10391906864753edd6e85722144d617 |
memory/1408-1760-0x0000000004F70000-0x0000000004F80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b2eecd1b1ba62b5add6f8e63bfaca3ca |
| SHA1 | a6f4ac73d8f2508d28c057aeeabab1f783f72da0 |
| SHA256 | f5f926e7e52f8f26e56048546f54755b0f07a82193d1f951f64c04c47b1e421a |
| SHA512 | b236b56789c9812795770fbf1451a4392d158b8ad59e011c1894c167a0f8014d67dcb7f49246005a15dd54e47af161848df3d977f7394314f7c253c51595d276 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f289d5218316bc0c88de5c2e9853e6da |
| SHA1 | cc85691d7273f8d20e62ac293afe3163a5a235cd |
| SHA256 | a3b0df05d59cc11a638af7b7d25af5089847d0b157cc5d20575f6175c625bfdf |
| SHA512 | 4b830d07238719d691e48faa74bb8cc9ada70107283d7f36d317764ab4be206d7345c101d7a1675a40d02945ff90c1b622902be7d6a9fd138a4fe954f827031b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 75a5561fce685815bd524b5a11a6aba2 |
| SHA1 | 3f8454ca45fe1b7f7f5ca8b1bd0cad36b20c556f |
| SHA256 | 991bedcc309c9747aba329e1929726f48a15c19c0faafe9f667388366dc56d9e |
| SHA512 | 17a4c739823ee0a16a84699c7881363b6edc846272e75895ff78f9818064b3b27a278d53a647254aa4d39529f21a0d1dead82597f226731f44ee79ea2b087bee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 715ef78b14dd074188c801e5c7e0869c |
| SHA1 | 8b06129629e4b73b8df10cd0bf2cf1fd59ee48ad |
| SHA256 | 267539825481a53cf4b05238ba06aeed57ee44f4a29b4788f09c9eda431fcf84 |
| SHA512 | ccfdc44d4ff1c38a9ee3d06697fad7656e2bbaafa20611760b785ddcbaf8c0f2466bd39ecdb15a0fa9e3084c82bc7f10e3be6bf51ef96b362767aaa50f5c059e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 36905c6efb2e9806df23249b5330871b |
| SHA1 | 216bf2c9b9cb7f2a67b978c352e9d6efa9e0e885 |
| SHA256 | f53f4b72410369f0bed1eb7e8dafc1ccbd3b9b63df1ba96ce903648851f7f123 |
| SHA512 | bb6fce948e6bca5fa09266700ba7747e9c35bc37e527a44b69dd9c524643171233942c1680b2a291cbd088ccf8c4b2b9253d3da3d412fe3bd1dc1c4cc3f50725 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |