Malware Analysis Report

2024-10-19 06:16

Sample ID 220322-jzl5tabbbl
Target bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5
SHA256 bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5

Threat Level: Likely malicious

The file bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 11:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 08:06

Reported

2022-03-22 08:09

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\taskmgr.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows 10 updater.lnk C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\45850e59-1a1b-4260-9bdd-1de5f827af22.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129011008.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30948803" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4281487210" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "70" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4281331060" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FFD5F429-A9B6-11EC-B9A4-DE15C9F76948} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349580460" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30948803" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000040d995fb062cfaa0711072368ea0fb85d3d51d07e1b071895011ac8a7826028a000000000e800000000200002000000059929d0ad6751b40f72d5815ac2dee2c22e799270380b48a2b6290070326005920000000941e6c3bd4c06b66d4a6cc740687ecc873b0f61bca1a741e2bdf8fd35ffa137640000000f98bbe514f245ebef5fdbfcf093f80fa4662cd4c0ab7fc16b02b0da286e4feb8d1b57988935db2d1d0010d5d6a5b9af08db876758a74a801a741d7f1e1a384a9 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30948803" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Users\Admin\AppData\Local\Temp\taskmgr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "48" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1069d902ad14d801 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000087bbc116b1e6c053b6faa0bea7be38ec42057edb9a1ebe08ae1cbfa9a26b345a000000000e80000000020000200000005658011d9c917fbca25c52a2896331dfb7a82b2f04e786dcf38909b5d5b3543d20000000846da79b54b3351562d4002823ffe3aa6f646b7e5c6617a065a0def2df34387040000000129ab38977afbfe2e2e8d5039c16363f9b48600ade447869933629cb8d14c41d6f1f5e3d614e6ef0e40712dbf160cdd6ee0703d628e1ca4baafb13e92f2c08bb C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4281331060" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "70" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4281487210" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "70" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05f0c03ad14d801 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30948803" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1346565761-3498240568-4147300184-1000\{FAFDDEC7-C24F-4259-84CE-F22FBCFAB468} C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\FBE.ZIP:Zone.Identifier C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\msavhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mscvhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 2796 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 2796 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 2796 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3836 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 428 wrote to memory of 1768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 428 wrote to memory of 1768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1768 wrote to memory of 4568 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1768 wrote to memory of 4568 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1768 wrote to memory of 4568 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3836 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe

"C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\v1843453.pdf

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe" 0

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" www.adobe.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffea90546f8,0x7ffea9054708,0x7ffea9054718

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" www.adobe.com

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5752 /prefetch:6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x404 0x4a4

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff748595460,0x7ff748595470,0x7ff748595480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4084 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\mscvhost.exe

"C:\Users\Admin\AppData\Local\Temp\mscvhost.exe" 0

C:\Users\Admin\AppData\Local\Temp\msavhost.exe

"C:\Users\Admin\AppData\Local\Temp\msavhost.exe" 0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,4589414390008230638,8628306077310940677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.adobe.com udp
CH 80.67.82.200:80 www.adobe.com tcp
CH 80.67.82.200:80 www.adobe.com tcp
CH 80.67.82.200:443 www.adobe.com tcp
US 8.8.8.8:53 use.typekit.net udp
US 8.8.8.8:53 s7d1.scene7.com udp
US 8.8.8.8:53 auth.services.adobe.com udp
FR 2.18.228.106:443 s7d1.scene7.com tcp
FR 2.18.228.106:443 s7d1.scene7.com tcp
FR 2.22.22.75:443 use.typekit.net tcp
FR 2.22.22.75:443 use.typekit.net tcp
NL 65.9.82.68:443 auth.services.adobe.com tcp
NL 65.9.82.68:443 auth.services.adobe.com tcp
US 8.8.8.8:53 geo2.adobe.com udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
FR 2.18.231.54:443 geo2.adobe.com tcp
FR 2.18.231.54:443 geo2.adobe.com tcp
US 8.8.8.8:53 assets.adobedtm.com udp
FR 2.18.99.124:443 assets.adobedtm.com tcp
FR 2.18.99.124:443 assets.adobedtm.com tcp
IE 20.67.219.150:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
NL 104.80.224.132:443 s.go-mpulse.net tcp
NL 104.80.224.132:443 s.go-mpulse.net tcp
US 8.8.8.8:53 adobe.tt.omtrdc.net udp
IE 52.211.96.107:443 adobe.tt.omtrdc.net tcp
IE 52.211.96.107:443 adobe.tt.omtrdc.net tcp
US 8.8.8.8:53 dpm.demdex.net udp
US 8.8.8.8:53 smartscreen-prod.microsoft.com udp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
IE 52.19.107.252:443 dpm.demdex.net tcp
IE 52.19.107.252:443 dpm.demdex.net tcp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 www.bing.com udp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 adobeid-na1.services.adobe.com udp
IE 54.73.65.43:443 adobeid-na1.services.adobe.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 204.79.197.203:443 tcp
US 8.8.8.8:53 dns.google udp
US 52.0.93.32:443 sstats.adobe.com tcp
US 52.0.93.32:443 sstats.adobe.com tcp
US 8.8.8.8:53 dns.google udp
US 54.224.14.10:443 adobe.demdex.net tcp
US 54.224.14.10:443 adobe.demdex.net tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
NL 104.109.143.24:443 images-tv.adobe.com tcp
NL 104.109.143.24:443 images-tv.adobe.com tcp
NL 95.101.58.226:443 c.go-mpulse.net tcp
NL 95.101.58.226:443 c.go-mpulse.net tcp
US 8.8.8.8:53 dns.google udp
US 104.16.148.64:443 cdn.cookielaw.org tcp
US 104.16.148.64:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 dns.google udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dns.google udp
US 3.216.131.23:443 adobedc.demdex.net tcp
US 13.107.21.200:443 www.bing.com tcp
US 8.8.8.8:443 dns.google udp
US 204.79.197.219:443 tcp
NL 84.53.185.74:443 tcp
NL 84.53.185.74:443 tcp
US 204.79.197.203:443 tcp
NL 23.202.229.35:443 tcp
NL 65.9.82.63:443 tcp
IE 52.142.114.2:443 tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.219:443 tcp
US 204.79.197.203:443 tcp
NL 104.109.143.13:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 153.92.0.100:80 7536585869444.comuf.com tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.219:443 tcp
US 8.8.8.8:53 dns.google udp
NL 87.248.202.1:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 153.92.0.100:80 983427676545.netau.net tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 67.24.27.254:80 tcp
DE 67.24.27.254:80 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 104.27.59.115:587 mail.vfemail.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

C:\Users\Admin\AppData\Local\Temp\temp1004.tmp

MD5 22920780aa0dc077f82aa8f865f39910
SHA1 40783b98d0183a52d33a431120a3f8fbd9cda48c
SHA256 f7c4f4cc6c99f0e5d21986eaf4e0ee5170b03b05ba444a6b2792a902e38f07b2
SHA512 0dba13c193143d5c13a3eeedf88ffb1a3e94b5d6d41eebe8cdc7113ed90d8fb221a7c10b7203dbb7570e504a3f05868d16cd1f0d2c24323fdb7fca7865a64327

C:\Users\Admin\AppData\Local\Temp\temp1111.tmp

MD5 d58bcce44b96c1799d28df2080d53573
SHA1 210335f7058316e7f5903341bfe29858f30c217c
SHA256 9a93933881b2a623a13f08949162b28521527619f91666fad9d93316c9a03459
SHA512 4f1998e96dc3fa232ada502425f681b1044358100e81e6125f49c9dd0b9454d84694b2346820c3c5a9a6ca3142e577146d1656902d7b8fcd3d032849a1d8171b

C:\Users\Admin\AppData\Local\Temp\temp1000.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 bc789d1a9f16788a2018d388c2630109
SHA1 1304a8b0b07401053311c62b09abe7aecfb473a7
SHA256 899617819ac426f2e07d5b65c4e78f302b678d626aa4ca013c20f2ec01a8f6a4
SHA512 915d39f89c6262e7a0ca6b1de55a884b2191cd97961e4e737e988ad094cbb37b4590ea7357cd9c2ed6dd8e6cb7e2445ac5c25ef68f420668dff2d0a1fa5edf7d

memory/3648-141-0x00007FFEC7150000-0x00007FFEC7151000-memory.dmp

\??\pipe\LOCAL\crashpad_3836_CNFNTJGTWNYHSJRN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\v1843453.pdf

MD5 5ca089449a75e46616e8d91b752e9744
SHA1 1cb3c8d178af11b3ba20ee808e0df723a2976f03
SHA256 7a3b87fb25cfed9c7e5e5dbc8891679df962a678b57d6c80d820cc1208c6d610
SHA512 83cdee8b65ea4b18efc1c905105d5add71690d3bf549437f6da956cabadc2906dcc7645f578a7ddeb3e2d3d2a9a9fc7481df0c17c3b3dda27ba0abb228b3e7e7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ves0881\imagestore.dat

MD5 359046489d042788df60f6689fd22eed
SHA1 1c81c57dec0c0fc915bc8d67270dc446749086e9
SHA256 7cd8ccafeab65a8f4d24246e7d10228688716bb26ba1961918f0f077ba5d1cf9
SHA512 354d9029c7b166c0a8dd2b500495d660fdc948a98d95c213d247d898de15cff635dd61067c98a4ba5fee5f710ce4b8013b05bf2eabb853be45ac7f3588ceb1df

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\favicon[1].ico

MD5 b28bf60dd7e50b6dffd394ebc0f9057a
SHA1 9ea7eed87b689757780322989ef426aeffdc8f7a
SHA256 bf24c9e4d37f94d4bd2f870228ff421ca54b2949db3391dbd3818ec0e6db0f5f
SHA512 b16a7f756e38ffe4bbcc0394a6e41593cc9fe68aaca6350c1c20d10e7a284ebfc7937c15726d0f43a3abd7c43d128a041a109cac2c8f240707fe1997e633e025

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

MD5 82f91c15a878af3dd7bccb2124cf92a9
SHA1 091fc562d01b611e23e9b15a783062f20776c25a
SHA256 628781dca16e28b8f492bf333fe38df0869e8183c40553bca2f25122c16cd0d2
SHA512 0ce4d0494f17b18160ddc499d057e169ca4fe439322dc3b9f45d4c70959262e9181ac71b5df34668500e64a80d7c82312ac332c6a52d66e41002664c7aa611b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

MD5 9a974246b890d4f344f0cf9b222e8724
SHA1 6cf92117c95f21aa9d23f168cde3d2ec0f868178
SHA256 402a3a81df5cd2722b2169d966ce9e1997e9dfd86b1e4714125db95eb95e7752
SHA512 6bb925f0e6b7ceea39cc4d18224c1f5ac163fcd6879f3935cf0f3f9e150cf88faf0e183a96fca05f3616835ed116d60032feb698c54dfcbfccff583902c08968

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 b1e46923163b9894749e4eff2993968d
SHA1 3fc0497d6c92789a8697b106fa712cbb5907115c
SHA256 3db82c7910423f166a858faac10d1a25a72adebebcab17e42e8946a3a7788898
SHA512 ced4713abd0fcddcfe88503261ca37b7eaaf07f8e08127f50913013752a4ff21788aabcc5c5854d64147938bf6f3c3cbae6626486249f9c36954f49aea648017

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 f7dcb24540769805e5bb30d193944dce
SHA1 e26c583c562293356794937d9e2e6155d15449ee
SHA256 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512 cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 d16928e7854a0eb78a28203de354efe7
SHA1 0cd1416fc39fa306166bd99c376768a71c97af2f
SHA256 688cefe843518dc834d3cd2dc95ea7917552da8851e97c785df1e3a9ae8148b6
SHA512 33051e30a85f220330c20c7cb85e107d9306f526a8ed95b3e43be2f3df88f04472976f5a0e959ee226104dd45fda58d6797c4d4ee4b0d3baf0cb24be394ff0d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d27055be73337870c4be2da723124afa
SHA1 0f0e9108fc5b0d72292f819be95766beadce8bd6
SHA256 f746f9e54d0fbec6fe7add70d8016a7bd3a9de0e48262cf47d994cc9aa056fef
SHA512 a4499f6ecc0ead01838c0ed32a58e15db59307c93c00bd19f8ce2fdb7595e14e2087f1942b3f7e8d8e2b3e16560ce7fa60ce4962f542749c2936e99ae9821464

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 58c015828485f4ddb0162f9f4ad23367
SHA1 1dd4861f69f306c27397e1006a199f183af92718
SHA256 f9b8ea4c734dec8e61e9aefe0fd3e0fa5172939f2ce66e8d850726bfe91c1fae
SHA512 19e92036c59ae492ffad0a22668f6709372488681270b132aae97be103741e9aa4a34f05e48427364407d2c01a110e72ea8cc64eba8ccf7fbbaf60772f715b78

C:\Users\Admin\AppData\Local\Temp\temp1009.tmp

MD5 fba874ccb15f9a5995292ab195a9c289
SHA1 63bcb85cdc154158ff925c570843d4dc22e4b9cd
SHA256 1fb14ec18da75945002ad97840314a36753452d2bf11fc96a4c171e91784e5b9
SHA512 662c9eb2fa8da8059795996cd59bbd1d17ea79f79cc9054a8810d5737d75b6f374ca5d055bf46748a21ae7cb697ba8dd78bcb62fcbdaebebdf2a1d34d11352e0

C:\Users\Admin\AppData\Local\Temp\mscvhost.exe

MD5 be1dbc241b0f896af1a11dce2de70720
SHA1 8bc461717aa99a401d96e16c379d0c520bcd5ed0
SHA256 879226bc5f8159e06bbb7a8c37258b81b07c13c52e83e2b3b8fd8bf9182e8f5e
SHA512 fa1391cf214a9be3a297ebc40879f3381cdd194594789a36da85d25beb16531b0a9c118b3cca44ed74962b17389bdf7ea4e5f5264c2ac4833adfaffec33e22b9

C:\Users\Admin\AppData\Local\Temp\msavhost.exe

MD5 38489fea73599f23b3abd8168ac3e9d0
SHA1 d8eb6aa56476f921b81d2b428ffed84bb08677b9
SHA256 6848ac63649274eb2ab2d93bb48924b685ea90dc0d312bbd841b9f50d608cd60
SHA512 ed96d53eb1e26cdcb8627dedebeaa6e714bfebae9061defd905bd5f06f7d894556dae5e5b040cf239158a4cf2149891fcff177df6044e954928fcf66011f9920

C:\Users\Admin\AppData\Local\Temp\msavhost.exe

MD5 38489fea73599f23b3abd8168ac3e9d0
SHA1 d8eb6aa56476f921b81d2b428ffed84bb08677b9
SHA256 6848ac63649274eb2ab2d93bb48924b685ea90dc0d312bbd841b9f50d608cd60
SHA512 ed96d53eb1e26cdcb8627dedebeaa6e714bfebae9061defd905bd5f06f7d894556dae5e5b040cf239158a4cf2149891fcff177df6044e954928fcf66011f9920

C:\Users\Admin\AppData\Local\Temp\mscvhost.exe

MD5 be1dbc241b0f896af1a11dce2de70720
SHA1 8bc461717aa99a401d96e16c379d0c520bcd5ed0
SHA256 879226bc5f8159e06bbb7a8c37258b81b07c13c52e83e2b3b8fd8bf9182e8f5e
SHA512 fa1391cf214a9be3a297ebc40879f3381cdd194594789a36da85d25beb16531b0a9c118b3cca44ed74962b17389bdf7ea4e5f5264c2ac4833adfaffec33e22b9

C:\Users\Admin\AppData\Local\Temp\temp1001.tmp

MD5 5867864996fe03426905fc7b09c565c1
SHA1 a0525054675e66c1c4da384bb937d80c4d5a55ef
SHA256 23772fac859f7332f4bdb52ed047e0c5965cd2f9bb983782a55eb4eae270b028
SHA512 020a3e20a5081ad2dcad451012cc36f0239f61b6c6ece97a3587315c37cf6e924738d39a9ecdc861280393f76d5f53f6068224eebc21fdca7d21ef08e46fe812

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 fd065058f59fd81d85bb6bc356e71a20
SHA1 ada33dad71165bcd327a252435b7d028da584b2a
SHA256 407832b136d8d78bc09c7f4036cf85aed61918afa0bc73cd3d01dc5c8f76652e
SHA512 3da99eb6f5e7833bb494a92311501914bcbbe1ed9d873fffcb6640c05355b53a322683af2ab55b154a3c602c32429aa5ef25193a128020f26d790fbb6fbee683

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 14a1e02bc38d15299b5563212f853ce0
SHA1 3900e6c1a394836f69be587937edb471ba4816f6
SHA256 6c535ad9ed6b7059ce1aefc7a10d67f0125b81c51bcb5a56916e6bdd79427c60
SHA512 aa415f7b835a7761de8ca578e380a3d4637a9fdcdc7d9a41041469c6128b1ca3c8b4286029358ea81b895f24df3721af47f7ad0386ab5bee5f6ac9f979e34719

C:\Users\Admin\AppData\Local\Temp\temp1006.tmp

MD5 f93240bfc3520c7c31facf2af5e44a03
SHA1 459a1b2eeacacc767ccf14a2816075af6fda9887
SHA256 94f5c75bee3ef876f040c47c025e017f0332c321334317b940ff0f2f6ad16a97
SHA512 fa27b97e34aa1c91da6938a1d111ddb52918b63f6a8403dfc7063fc7a821bb7ce7423f43fc3161bb3098cf07befbeebe82764caa36f1256840c5f1805e06cde6

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 14a1e02bc38d15299b5563212f853ce0
SHA1 3900e6c1a394836f69be587937edb471ba4816f6
SHA256 6c535ad9ed6b7059ce1aefc7a10d67f0125b81c51bcb5a56916e6bdd79427c60
SHA512 aa415f7b835a7761de8ca578e380a3d4637a9fdcdc7d9a41041469c6128b1ca3c8b4286029358ea81b895f24df3721af47f7ad0386ab5bee5f6ac9f979e34719

C:\Users\Admin\AppData\Local\Temp\temp1003.tmp

MD5 48e97051bf9198dce0bc94282bb4b1fc
SHA1 6ddc2329a2a5cca7f1b318e251bc82fb7f3b6093
SHA256 acd1d6889151ea65a5e83ffb468632c41a27bf141feb7c67debdcc1b9277d0bc
SHA512 5c9c2f6d8cdf0d99c50e72728f53724b52101e6e804674249088ef61d667172894be452b1e5babb9cbd75cf43510d81cbb50830846a33f3d4aa0ef1d80a6c005

C:\Users\Admin\AppData\Local\Temp\temp1002.tmp

MD5 223e3e58aae4ca375e5f8dff8f0b5a53
SHA1 04bc7118a00f00de54a7f51e136be4e7671d57a2
SHA256 b3e50dd689e5e50387278395f809bd85d5c2d421a2aeaa7749394d2635e9be26
SHA512 bb7a109fa0117963dfdd5850014f0f38b08ef65a055decbab96b52c0956d7e4f725fc2f36282f7e57dcef97c5cc30ae0e0aa6d6e297d4689e4b3eaf5385b5674

C:\Users\Admin\AppData\Local\Temp\temp1000.tmp

MD5 74cb26f4f4ecc9673646190bdc4c8290
SHA1 c017971c31bdcc9ba13a283764972dde1f5fd2c2
SHA256 1530547f0e7b57bbc2c76fdd44bce977d8909d60440711068e79e8c47083afbb
SHA512 120feb60d98ddff9b7ef874b4d8008d174c9ccd39c3cf8c2993770fc11c002dd77159c32a7590b3c893c9f4744ec2d0619252c5f00c66a5b53c1924692b6ddf6

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 ec78ff203b955b9005a195a253823770
SHA1 fae7a3d47629be2c5198d1b93b0ab8aa80ac34e4
SHA256 aefae98093fca326cf30ba5015334e262f85a7cd7095e67b9ff11dd0c1be05c8
SHA512 4239ef0fc764e333984b82076b952604d4be9544bc6c32de0af3c0909e74e2af6b37b18366d7113612bcf462f5b17e73b2957ee10d0696b54310880d9c1832b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other

MD5 cd0395742b85e2b669eaec1d5f15b65b
SHA1 43c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA256 2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA512 4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities

MD5 0d37c9d98f35f2c6524bd9b874ec93ed
SHA1 87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5
SHA256 19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac
SHA512 68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging

MD5 9ca5eb41a53645be63d247ad8a9a7869
SHA1 2e98b04b5a2efb04d20bc7fe51b05c4e4841205b
SHA256 f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9
SHA512 7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other

MD5 c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1 bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256 a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA512 86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social

MD5 976b1cf7e3442f88cd8ba26d3f0965bb
SHA1 b75438dc71de4ac761d94a215ddbffadcd1225b0
SHA256 decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541
SHA512 d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting

MD5 a004023825237dadc8f934758ff9eaf2
SHA1 c981a900b5ce63884635cedfe5ba722416021cb2
SHA256 3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7
SHA512 e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining

MD5 4ec1eda0e8a06238ff5bf88569964d59
SHA1 a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256 696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512 c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content

MD5 7f077f40c2d1ce8e95faa8fdb23ed8b4
SHA1 2c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256 bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512 c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics

MD5 4cefbb980962973a354915a49d1b0f4d
SHA1 1d20148cab5cdadb85fad6041262584a12c2745d
SHA256 66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a
SHA512 6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising

MD5 d024831cae8599f0edee70275d99e843
SHA1 69e08b543802b130da5305cbb0140bda5601079c
SHA256 0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978
SHA512 ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social

MD5 152b745da17397ed5a2f3059bb157600
SHA1 47bf4e575ba1acf47dcc99f1800f753b4cc65ef6
SHA256 ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8
SHA512 4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting

MD5 b51076d21461e00fcbf3dbd2c9e96b2b
SHA1 31311536cf570f2f9c88d21f03a935ac6e233231
SHA256 21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993
SHA512 3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining

MD5 8c31feb9c3faaa9794aa22ce9f48bfbd
SHA1 f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA256 6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512 ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content

MD5 94c183b842784d0ae69f8aa57c8ac015
SHA1 c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256 aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA512 5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics

MD5 fad197d6ffd32d1268b9e7e8d13ab32a
SHA1 b0129887a75965bb2ef56a2c39d3231e5b87265d
SHA256 4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3
SHA512 01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising

MD5 4e9962558e74db5038d8073a5b3431aa
SHA1 3cd097d9dd4b16a69efbb0fd1efe862867822146
SHA256 6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512 fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 08:06

Reported

2022-03-22 08:09

Platform

win7-20220310-en

Max time kernel

4294211s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows 10 updater.lnk C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Users\Admin\AppData\Local\Temp\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000009375ba981abc51947404ca8909f10a22bcae73abb7404b79fd6dae4a2b987650000000000e800000000200002000000074466774abfa4f5c41c265e998b2ce05a46fc38f7566729c531dc052f50ff4c3900000005e1b115807d29a51eb9605dccefd675745adac2ae13e117bfaafa6de77447f6434968f1b78d8f1f5654ca84e941478b0270bb80a6753ec8d68f18d2b14aafc25679d59823dd960752f4ddf0f9e9487243f7dece0c231b7643617913cbd89a20473d6d6b181c5e57e6c0308927a3de992420db9c0ddd11af1b3769878fadff5dde10fd5b6d2030198a8a6d9239cdfb76040000000a8347c4794fdc968029e4a326aa6646b6d4a39f0ec9b3e2b3531616897deb8fb5e9b7439e6b2ccac86c4a14fd03c8fed495cb450342576afb8820857b91b0d69 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "48" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "70" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d047bd3ccc3dd801 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{629BF371-A9BF-11EC-8C38-42E8254CF66F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354704976" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "70" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "70" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000082bfc54bae0ae40a2e904cefbcc76b7605c563f272ba8635b5dd02cb22c32b55000000000e800000000200002000000085ebc86209bb99edcb4f811383ac8c84e2316db2dc8a43a2323f300f565a60f120000000482daca3ebbc31f55373729140585a74c096c381de52188c05ee6eea558ae1c340000000ffc45a762220cb2f62f9b6aaced896c6926dd7221c01af437c1c3f05e4c05e2b6f282db7723aac04c60141c2bc1f9924ad1f5664681ea9f1ab8316e400c4d130 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "48" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msavhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mscvhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1628 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1628 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1628 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1628 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 1628 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 1628 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 1628 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
PID 1628 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1628 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1628 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1628 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1996 wrote to memory of 2016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2016 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2016 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2016 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2016 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1348 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\mscvhost.exe
PID 1348 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\mscvhost.exe
PID 1348 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\mscvhost.exe
PID 1348 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\mscvhost.exe
PID 1348 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\msavhost.exe
PID 1348 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\msavhost.exe
PID 1348 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\msavhost.exe
PID 1348 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\msavhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe

"C:\Users\Admin\AppData\Local\Temp\bd78f34c238d0026657fb44dac52c426d0f00a4b7462563b00cc0b3d0ba8f6d5.exe"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\v1843453.pdf"

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe" 0

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" www.adobe.com

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" www.adobe.com

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\msavhost.exe

"C:\Users\Admin\AppData\Local\Temp\msavhost.exe" 0

C:\Users\Admin\AppData\Local\Temp\mscvhost.exe

"C:\Users\Admin\AppData\Local\Temp\mscvhost.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.adobe.com udp
NL 104.109.143.159:80 www.adobe.com tcp
NL 104.109.143.159:80 www.adobe.com tcp
NL 104.109.143.159:443 www.adobe.com tcp
NL 104.109.143.159:443 www.adobe.com tcp
NL 104.109.143.159:443 www.adobe.com tcp
NL 104.109.143.159:443 www.adobe.com tcp
US 8.8.8.8:53 use.typekit.net udp
NL 104.109.143.159:443 www.adobe.com tcp
NL 104.109.143.159:443 www.adobe.com tcp
FR 2.22.22.147:443 use.typekit.net tcp
FR 2.22.22.147:443 use.typekit.net tcp
US 8.8.8.8:53 auth.services.adobe.com udp
US 8.8.8.8:53 s7d1.scene7.com udp
FR 2.18.228.106:443 s7d1.scene7.com tcp
FR 2.18.228.106:443 s7d1.scene7.com tcp
NL 65.9.82.95:443 auth.services.adobe.com tcp
NL 65.9.82.95:443 auth.services.adobe.com tcp
US 8.8.8.8:53 geo2.adobe.com udp
FR 2.18.231.54:443 geo2.adobe.com tcp
FR 2.18.231.54:443 geo2.adobe.com tcp
US 8.8.8.8:53 assets.adobedtm.com udp
FR 2.18.99.124:443 assets.adobedtm.com tcp
FR 2.18.99.124:443 assets.adobedtm.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
FR 2.22.22.147:443 use.typekit.net tcp
FR 2.22.22.147:443 use.typekit.net tcp
FR 2.22.22.147:443 use.typekit.net tcp
FR 2.22.22.147:443 use.typekit.net tcp
NL 104.80.224.132:443 s.go-mpulse.net tcp
NL 104.80.224.132:443 s.go-mpulse.net tcp
US 8.8.8.8:53 adobe.tt.omtrdc.net udp
IE 54.228.10.200:443 adobe.tt.omtrdc.net tcp
US 8.8.8.8:53 dpm.demdex.net udp
US 54.160.125.64:443 dpm.demdex.net tcp
US 54.160.125.64:443 dpm.demdex.net tcp
US 8.8.8.8:53 images-tv.adobe.com udp
NL 104.109.143.6:443 images-tv.adobe.com tcp
NL 104.109.143.6:443 images-tv.adobe.com tcp
FR 2.18.99.124:443 assets.adobedtm.com tcp
FR 2.18.99.124:443 assets.adobedtm.com tcp
FR 2.18.99.124:443 assets.adobedtm.com tcp
US 8.8.8.8:53 sstats.adobe.com udp
US 54.163.234.74:443 sstats.adobe.com tcp
US 54.163.234.74:443 sstats.adobe.com tcp
IE 54.228.10.200:443 adobe.tt.omtrdc.net tcp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 104.16.148.64:443 cdn.cookielaw.org tcp
US 104.16.148.64:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 c.go-mpulse.net udp
NL 95.101.58.226:443 c.go-mpulse.net tcp
NL 95.101.58.226:443 c.go-mpulse.net tcp
US 8.8.8.8:53 adobedc.demdex.net udp
US 52.0.93.32:443 adobedc.demdex.net tcp
US 8.8.8.8:53 7536585869444.comuf.com udp
US 153.92.0.100:80 7536585869444.comuf.com tcp
US 8.8.8.8:53 983427676545.netau.net udp
US 153.92.0.100:80 983427676545.netau.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 mail.vfemail.net udp
US 104.27.59.115:587 mail.vfemail.net tcp

Files

memory/1628-56-0x0000000074CC1000-0x0000000074CC3000-memory.dmp

memory/1628-57-0x0000000003DC0000-0x0000000005116000-memory.dmp

\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 166e0d971da741c6ccaa006c3829afb6
SHA1 2703aebb2ec43981adee2ddee415c7773e961ab7
SHA256 97db7ec4663a5b322cf85bf77a750d7231cfd2cff861d0e8a9f19a58d8e923aa
SHA512 20061cd641139ee8ca64bc2dc1f777ec6b28247c7cb45bdc9190424a4c7ab44cdcc6a6858e1f44a523cf848e5326d3c3ddc632e8d37e3fcad50ecb37bca70ab6

C:\Users\Admin\AppData\Local\Temp\temp1111.tmp

MD5 d58bcce44b96c1799d28df2080d53573
SHA1 210335f7058316e7f5903341bfe29858f30c217c
SHA256 9a93933881b2a623a13f08949162b28521527619f91666fad9d93316c9a03459
SHA512 4f1998e96dc3fa232ada502425f681b1044358100e81e6125f49c9dd0b9454d84694b2346820c3c5a9a6ca3142e577146d1656902d7b8fcd3d032849a1d8171b

C:\Users\Admin\AppData\Local\Temp\temp1004.tmp

MD5 22920780aa0dc077f82aa8f865f39910
SHA1 40783b98d0183a52d33a431120a3f8fbd9cda48c
SHA256 f7c4f4cc6c99f0e5d21986eaf4e0ee5170b03b05ba444a6b2792a902e38f07b2
SHA512 0dba13c193143d5c13a3eeedf88ffb1a3e94b5d6d41eebe8cdc7113ed90d8fb221a7c10b7203dbb7570e504a3f05868d16cd1f0d2c24323fdb7fca7865a64327

C:\Users\Admin\AppData\Local\Temp\temp1000.tmp

MD5 74cb26f4f4ecc9673646190bdc4c8290
SHA1 c017971c31bdcc9ba13a283764972dde1f5fd2c2
SHA256 1530547f0e7b57bbc2c76fdd44bce977d8909d60440711068e79e8c47083afbb
SHA512 120feb60d98ddff9b7ef874b4d8008d174c9ccd39c3cf8c2993770fc11c002dd77159c32a7590b3c893c9f4744ec2d0619252c5f00c66a5b53c1924692b6ddf6

C:\Users\Admin\AppData\Local\Temp\v1843453.pdf

MD5 5ca089449a75e46616e8d91b752e9744
SHA1 1cb3c8d178af11b3ba20ee808e0df723a2976f03
SHA256 7a3b87fb25cfed9c7e5e5dbc8891679df962a678b57d6c80d820cc1208c6d610
SHA512 83cdee8b65ea4b18efc1c905105d5add71690d3bf549437f6da956cabadc2906dcc7645f578a7ddeb3e2d3d2a9a9fc7481df0c17c3b3dda27ba0abb228b3e7e7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat

MD5 a68a11674ed38bda24e83b284d3f0dab
SHA1 3987c9abcebfde1dadba35ca03795f14c539f62e
SHA256 4417d392820d121441427557d24c17fe0841dd60dc0c9e355c0bde918c6590b3
SHA512 45ba0b9f8f7e1f69522dc327ca52de24dbb00763438f872d4228daa36842e9537410f1ec4b855a3bae0c0d656721e986dab5bf760266ab6799da228b4ca4c786

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dfc37ea4a254efe1fe5db0ee3b53369
SHA1 6782781f627a72adbab11a4986430e3e1ec7610b
SHA256 8020457dac57de1e4567f795952b599d9cc71e0faa486f5ee19f2c60d3f178c3
SHA512 0b2ce4f0d14e10cfd9fc0e889267b4724888dc51773dccd3f81cb86e71aba5328ec02f421ae69b4d071ac5563d00eab09f572d8de6f5c124f9238c6dda497e1d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M5G0LMXJ.txt

MD5 65aedb285523c6578445130d93c7feb3
SHA1 432f39cf264324e21fd9c12077d4a3e06d33f02e
SHA256 b515e98306e7a5522380c0d5186b21336c7383e2ba37c126609f23ec62ba981d
SHA512 e99efe47910482feb2627b251ff6871069fbbe2ee69666b85f355c3c25238332f04cabded0f370831141d74faaf73573409e63fe09b3343d487f148607014db0

C:\Users\Admin\AppData\Local\Temp\temp1009.tmp

MD5 fba874ccb15f9a5995292ab195a9c289
SHA1 63bcb85cdc154158ff925c570843d4dc22e4b9cd
SHA256 1fb14ec18da75945002ad97840314a36753452d2bf11fc96a4c171e91784e5b9
SHA512 662c9eb2fa8da8059795996cd59bbd1d17ea79f79cc9054a8810d5737d75b6f374ca5d055bf46748a21ae7cb697ba8dd78bcb62fcbdaebebdf2a1d34d11352e0

C:\Users\Admin\AppData\Local\Temp\mscvhost.exe

MD5 be1dbc241b0f896af1a11dce2de70720
SHA1 8bc461717aa99a401d96e16c379d0c520bcd5ed0
SHA256 879226bc5f8159e06bbb7a8c37258b81b07c13c52e83e2b3b8fd8bf9182e8f5e
SHA512 fa1391cf214a9be3a297ebc40879f3381cdd194594789a36da85d25beb16531b0a9c118b3cca44ed74962b17389bdf7ea4e5f5264c2ac4833adfaffec33e22b9

\Users\Admin\AppData\Local\Temp\mscvhost.exe

MD5 be1dbc241b0f896af1a11dce2de70720
SHA1 8bc461717aa99a401d96e16c379d0c520bcd5ed0
SHA256 879226bc5f8159e06bbb7a8c37258b81b07c13c52e83e2b3b8fd8bf9182e8f5e
SHA512 fa1391cf214a9be3a297ebc40879f3381cdd194594789a36da85d25beb16531b0a9c118b3cca44ed74962b17389bdf7ea4e5f5264c2ac4833adfaffec33e22b9

\Users\Admin\AppData\Local\Temp\mscvhost.exe

MD5 be1dbc241b0f896af1a11dce2de70720
SHA1 8bc461717aa99a401d96e16c379d0c520bcd5ed0
SHA256 879226bc5f8159e06bbb7a8c37258b81b07c13c52e83e2b3b8fd8bf9182e8f5e
SHA512 fa1391cf214a9be3a297ebc40879f3381cdd194594789a36da85d25beb16531b0a9c118b3cca44ed74962b17389bdf7ea4e5f5264c2ac4833adfaffec33e22b9

C:\Users\Admin\AppData\Local\Temp\msavhost.exe

MD5 38489fea73599f23b3abd8168ac3e9d0
SHA1 d8eb6aa56476f921b81d2b428ffed84bb08677b9
SHA256 6848ac63649274eb2ab2d93bb48924b685ea90dc0d312bbd841b9f50d608cd60
SHA512 ed96d53eb1e26cdcb8627dedebeaa6e714bfebae9061defd905bd5f06f7d894556dae5e5b040cf239158a4cf2149891fcff177df6044e954928fcf66011f9920

C:\Users\Admin\AppData\Local\Temp\msavhost.exe

MD5 38489fea73599f23b3abd8168ac3e9d0
SHA1 d8eb6aa56476f921b81d2b428ffed84bb08677b9
SHA256 6848ac63649274eb2ab2d93bb48924b685ea90dc0d312bbd841b9f50d608cd60
SHA512 ed96d53eb1e26cdcb8627dedebeaa6e714bfebae9061defd905bd5f06f7d894556dae5e5b040cf239158a4cf2149891fcff177df6044e954928fcf66011f9920

\Users\Admin\AppData\Local\Temp\msavhost.exe

MD5 38489fea73599f23b3abd8168ac3e9d0
SHA1 d8eb6aa56476f921b81d2b428ffed84bb08677b9
SHA256 6848ac63649274eb2ab2d93bb48924b685ea90dc0d312bbd841b9f50d608cd60
SHA512 ed96d53eb1e26cdcb8627dedebeaa6e714bfebae9061defd905bd5f06f7d894556dae5e5b040cf239158a4cf2149891fcff177df6044e954928fcf66011f9920

C:\Users\Admin\AppData\Local\Temp\mscvhost.exe

MD5 be1dbc241b0f896af1a11dce2de70720
SHA1 8bc461717aa99a401d96e16c379d0c520bcd5ed0
SHA256 879226bc5f8159e06bbb7a8c37258b81b07c13c52e83e2b3b8fd8bf9182e8f5e
SHA512 fa1391cf214a9be3a297ebc40879f3381cdd194594789a36da85d25beb16531b0a9c118b3cca44ed74962b17389bdf7ea4e5f5264c2ac4833adfaffec33e22b9

\Users\Admin\AppData\Local\Temp\msavhost.exe

MD5 38489fea73599f23b3abd8168ac3e9d0
SHA1 d8eb6aa56476f921b81d2b428ffed84bb08677b9
SHA256 6848ac63649274eb2ab2d93bb48924b685ea90dc0d312bbd841b9f50d608cd60
SHA512 ed96d53eb1e26cdcb8627dedebeaa6e714bfebae9061defd905bd5f06f7d894556dae5e5b040cf239158a4cf2149891fcff177df6044e954928fcf66011f9920

\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

MD5 4e915fbe54c3fa26d9a188cbe770f39d
SHA1 43556ba6ed14c6a430999126f0d775c1bc2756da
SHA256 f1ef59570bada74723878f764146370e9e92ffe54038fb6baaca956e1bfc3aea
SHA512 33088c3adfc5bdd5c4255c8695203ef77571e1276614350d6eefff8539b31097ff98ee3f9f9c0acff9b46338a76b72240b470d216b2679d3601116ec86fa3307

C:\Users\Admin\AppData\Local\Temp\temp1001.tmp

MD5 5867864996fe03426905fc7b09c565c1
SHA1 a0525054675e66c1c4da384bb937d80c4d5a55ef
SHA256 23772fac859f7332f4bdb52ed047e0c5965cd2f9bb983782a55eb4eae270b028
SHA512 020a3e20a5081ad2dcad451012cc36f0239f61b6c6ece97a3587315c37cf6e924738d39a9ecdc861280393f76d5f53f6068224eebc21fdca7d21ef08e46fe812

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 62517f41a83e8082d53c279eb0c0abe1
SHA1 c9f060b8b130833d167d90159848593306450a49
SHA256 c8171391079c735eecfbcc7545516ee07153862cf4c01817aeb79f43824ff789
SHA512 9b391d52431abb5f7da57b2c693a766845a70fc728f9fe265d96dbd0fbe1aef5dca89124e3076c8cf5d3fefb822d133d2e5a895826374522a52cb458362d229b

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 62517f41a83e8082d53c279eb0c0abe1
SHA1 c9f060b8b130833d167d90159848593306450a49
SHA256 c8171391079c735eecfbcc7545516ee07153862cf4c01817aeb79f43824ff789
SHA512 9b391d52431abb5f7da57b2c693a766845a70fc728f9fe265d96dbd0fbe1aef5dca89124e3076c8cf5d3fefb822d133d2e5a895826374522a52cb458362d229b

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 e53d8f4d0814bcea20c20bbf1e71ec1b
SHA1 1d111bd462857b7e395a892f06e4024416ad0653
SHA256 08f445c42f4e0538314c2d5a534aa4afa089019816fe263b2242caf95ff9418a
SHA512 c7502d36bc5fac8542d4760fe285526fb536cdfee9ea4958cf3a4f058ca969b2520d025d67f21e011f9a3d405ccb422a2e85c2d3460e85b0ca3bdc3abc8b668c

C:\Users\Admin\AppData\Local\Temp\temp1006.tmp

MD5 f93240bfc3520c7c31facf2af5e44a03
SHA1 459a1b2eeacacc767ccf14a2816075af6fda9887
SHA256 94f5c75bee3ef876f040c47c025e017f0332c321334317b940ff0f2f6ad16a97
SHA512 fa27b97e34aa1c91da6938a1d111ddb52918b63f6a8403dfc7063fc7a821bb7ce7423f43fc3161bb3098cf07befbeebe82764caa36f1256840c5f1805e06cde6

C:\Users\Admin\AppData\Local\Temp\temp1003.tmp

MD5 48e97051bf9198dce0bc94282bb4b1fc
SHA1 6ddc2329a2a5cca7f1b318e251bc82fb7f3b6093
SHA256 acd1d6889151ea65a5e83ffb468632c41a27bf141feb7c67debdcc1b9277d0bc
SHA512 5c9c2f6d8cdf0d99c50e72728f53724b52101e6e804674249088ef61d667172894be452b1e5babb9cbd75cf43510d81cbb50830846a33f3d4aa0ef1d80a6c005

C:\Users\Admin\AppData\Local\Temp\temp1002.tmp

MD5 223e3e58aae4ca375e5f8dff8f0b5a53
SHA1 04bc7118a00f00de54a7f51e136be4e7671d57a2
SHA256 b3e50dd689e5e50387278395f809bd85d5c2d421a2aeaa7749394d2635e9be26
SHA512 bb7a109fa0117963dfdd5850014f0f38b08ef65a055decbab96b52c0956d7e4f725fc2f36282f7e57dcef97c5cc30ae0e0aa6d6e297d4689e4b3eaf5385b5674

C:\Users\Admin\AppData\Local\Temp\temp1000.tmp

MD5 74cb26f4f4ecc9673646190bdc4c8290
SHA1 c017971c31bdcc9ba13a283764972dde1f5fd2c2
SHA256 1530547f0e7b57bbc2c76fdd44bce977d8909d60440711068e79e8c47083afbb
SHA512 120feb60d98ddff9b7ef874b4d8008d174c9ccd39c3cf8c2993770fc11c002dd77159c32a7590b3c893c9f4744ec2d0619252c5f00c66a5b53c1924692b6ddf6

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 e53d8f4d0814bcea20c20bbf1e71ec1b
SHA1 1d111bd462857b7e395a892f06e4024416ad0653
SHA256 08f445c42f4e0538314c2d5a534aa4afa089019816fe263b2242caf95ff9418a
SHA512 c7502d36bc5fac8542d4760fe285526fb536cdfee9ea4958cf3a4f058ca969b2520d025d67f21e011f9a3d405ccb422a2e85c2d3460e85b0ca3bdc3abc8b668c

C:\Users\Admin\AppData\Local\Temp\temp1005.tmp

MD5 f69010c4011e7ac9e82fd7ffe424f0d9
SHA1 3a6535da0fecd67bb1153ad5e1d416e36dad6fe3
SHA256 d7a8bd9f3e5d0d7efffc4f650bdedb3c763f8c56f7e6c6f4e33e1682a87e9d01
SHA512 fbb76898825b47880a8ddfefde367b51688ba0a8e902d96038991ce31ee5cff469803b5dd5dccb2c1d99ef96cf245380d2cf5a96eef4a9be641cd2ba50733305