Malware Analysis Report

2025-01-18 07:56

Sample ID 230813-mfnfbada8y
Target b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe
SHA256 b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2c
Tags
amadey djvu fabookie redline smokeloader vidar d2840cabd9794f85353e1fae1cd95a0b logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer ransomware spyware stealer trojan pub1 microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2c

Threat Level: Known bad

The file b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader vidar d2840cabd9794f85353e1fae1cd95a0b logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer ransomware spyware stealer trojan pub1 microsoft phishing

Djvu Ransomware

SmokeLoader

Detected Djvu ransomware

Fabookie

RedLine

Vidar

Amadey

Detect Fabookie payload

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Deletes itself

Looks up external IP address via web service

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 10:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 10:24

Reported

2023-08-13 10:27

Platform

win7-20230712-en

Max time kernel

47s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\1584.exe
PID 1208 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\1584.exe
PID 1208 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\1584.exe
PID 1208 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\1584.exe
PID 1208 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\172A.exe
PID 1208 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\172A.exe
PID 1208 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\172A.exe
PID 1208 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\172A.exe
PID 1208 wrote to memory of 1288 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 1288 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 1288 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 1288 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 1288 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1208 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E3D.exe
PID 1208 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E3D.exe
PID 1208 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E3D.exe
PID 1208 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E3D.exe
PID 1208 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3AF2.exe
PID 1208 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3AF2.exe
PID 1208 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3AF2.exe
PID 1208 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3AF2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\1584.exe

C:\Users\Admin\AppData\Local\Temp\1584.exe

C:\Users\Admin\AppData\Local\Temp\172A.exe

C:\Users\Admin\AppData\Local\Temp\172A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1C3A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1C3A.dll

C:\Users\Admin\AppData\Local\Temp\1E3D.exe

C:\Users\Admin\AppData\Local\Temp\1E3D.exe

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

C:\Users\Admin\AppData\Local\Temp\1584.exe

C:\Users\Admin\AppData\Local\Temp\1584.exe

C:\Users\Admin\AppData\Local\Temp\5594.exe

C:\Users\Admin\AppData\Local\Temp\5594.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\744E.exe

C:\Users\Admin\AppData\Local\Temp\744E.exe

C:\Users\Admin\AppData\Local\Temp\7E2E.exe

C:\Users\Admin\AppData\Local\Temp\7E2E.exe

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6e2a7ed4-c470-4a3b-a70c-22d5da4d2a18" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\744E.exe

C:\Users\Admin\AppData\Local\Temp\744E.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B6267F74-8305-4EF5-8847-C28483FDB9FD} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

"C:\Users\Admin\AppData\Local\Temp\6ADB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\744E.exe

"C:\Users\Admin\AppData\Local\Temp\744E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

"C:\Users\Admin\AppData\Local\Temp\5DFE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

"C:\Users\Admin\AppData\Local\Temp\5DFE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

"C:\Users\Admin\AppData\Local\Temp\6ADB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
PE 190.187.52.42:80 colisumy.com tcp
NL 194.169.175.233:3003 194.169.175.233 tcp
MD 176.123.9.142:14845 tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 142.4.24.122:443 admaiscont.com.br tcp
RU 79.137.192.18:80 79.137.192.18 tcp
PL 51.83.170.21:19447 tcp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 37.27.11.1:80 37.27.11.1 tcp
PL 51.83.170.21:19447 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp

Files

memory/2336-54-0x0000000002740000-0x0000000002840000-memory.dmp

memory/2336-55-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2336-56-0x0000000000400000-0x00000000022F8000-memory.dmp

memory/1208-57-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/2336-58-0x0000000000400000-0x00000000022F8000-memory.dmp

memory/2336-61-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1208-62-0x000007FEF63A0000-0x000007FEF64E3000-memory.dmp

memory/1208-63-0x000007FF1EF80000-0x000007FF1EF8A000-memory.dmp

memory/1208-67-0x000007FEF63A0000-0x000007FEF64E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1584.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\1584.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/1208-74-0x000007FF1EF80000-0x000007FF1EF8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\172A.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

C:\Users\Admin\AppData\Local\Temp\172A.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

memory/2392-81-0x00000000001C0000-0x00000000001F0000-memory.dmp

memory/2392-82-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\172A.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

memory/2392-87-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2392-89-0x0000000001F40000-0x0000000001F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C3A.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

\Users\Admin\AppData\Local\Temp\1C3A.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/2804-92-0x00000000020D0000-0x0000000002344000-memory.dmp

memory/2804-95-0x00000000020D0000-0x0000000002344000-memory.dmp

memory/2804-94-0x0000000000180000-0x0000000000186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E3D.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

memory/2392-101-0x0000000004890000-0x00000000048D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E3D.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/2392-109-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2392-111-0x0000000004890000-0x00000000048D0000-memory.dmp

memory/2736-113-0x0000000000250000-0x0000000000279000-memory.dmp

memory/2736-114-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2736-112-0x00000000036B0000-0x00000000036E8000-memory.dmp

memory/2736-116-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/2736-115-0x00000000036F0000-0x0000000003724000-memory.dmp

memory/2736-118-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2736-119-0x0000000003520000-0x0000000003560000-memory.dmp

memory/2736-117-0x00000000019E0000-0x00000000019E6000-memory.dmp

memory/2736-120-0x0000000003520000-0x0000000003560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1584.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/2732-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3024-127-0x0000000000320000-0x0000000000398000-memory.dmp

memory/2732-128-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5594.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

memory/2540-135-0x00000000009D0000-0x0000000000A8E000-memory.dmp

memory/2540-137-0x0000000074B80000-0x000000007526E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1584.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\5594.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

memory/3024-125-0x00000000002D0000-0x0000000000311000-memory.dmp

\Users\Admin\AppData\Local\Temp\1584.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/2732-138-0x0000000000400000-0x000000000048C000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

memory/1244-148-0x00000000FFC90000-0x00000000FFCFA000-memory.dmp

memory/2732-147-0x0000000000400000-0x000000000048C000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2736-170-0x0000000003520000-0x0000000003560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2540-178-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2736-179-0x0000000074B80000-0x000000007526E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2736-186-0x0000000003520000-0x0000000003560000-memory.dmp

memory/2736-188-0x0000000003520000-0x0000000003560000-memory.dmp

memory/2736-187-0x0000000003520000-0x0000000003560000-memory.dmp

memory/2732-195-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E2E.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2680-201-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2576-205-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-204-0x0000000003290000-0x00000000033AB000-memory.dmp

memory/2576-200-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

\Users\Admin\AppData\Local\Temp\3AF2.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/2576-208-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3AF2.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/1656-226-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1244-227-0x0000000002D60000-0x0000000002ED1000-memory.dmp

memory/1244-228-0x0000000002EE0000-0x0000000003011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9F02.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\Local\Temp\Cab9E63.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afa187a8ce17289174edf48e3ce543e5
SHA1 853243f549604606c0f6ddcf8966ae6834f12570
SHA256 68de824bccfd2077054edc385e9623add12590d97421e48438d6e0a796194c18
SHA512 76c096b550a8a77c483e2ace4076b99b0253270587a4e4b0ca272b93ce897c7bf6057804bc630c12dde6567f69ed1c290fa45d1cf53dc05ae18e152198238aa6

memory/2732-256-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23ea24d463388862acca3a142bb080e1
SHA1 342d5a19f65cc5050f32229ffaa443023b3ae2de
SHA256 98d30705f6c288f06c1b03c5276e985087c42f13bb3ebebac6fba48e68fc1a82
SHA512 da49780fa0645c55e620110c7d2d6ac4bcd9351e7a438e4860230f02bf0192bee7f7f11313ff102b06bd10231bfb50ac973a8d2fa2b909ca7941052244d5337c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad7feeb9a61df1aabe36d1c6abb5ee18
SHA1 53b99c4d672ba9c1dbe4f80509ab43992c76f2bf
SHA256 bdcef0a06fb19321dfd267dbb2169d8e13238527e0ec97ca52c847415b973cb9
SHA512 0a279d409eeb51aba88ab50b6c8bd049f1644b50722b956a2170b6be36deeb2717aebaae532a4add98e234696ae522dc5f299855141621811dce32d2e3b381f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad7feeb9a61df1aabe36d1c6abb5ee18
SHA1 53b99c4d672ba9c1dbe4f80509ab43992c76f2bf
SHA256 bdcef0a06fb19321dfd267dbb2169d8e13238527e0ec97ca52c847415b973cb9
SHA512 0a279d409eeb51aba88ab50b6c8bd049f1644b50722b956a2170b6be36deeb2717aebaae532a4add98e234696ae522dc5f299855141621811dce32d2e3b381f4

memory/2732-298-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2392-299-0x0000000074B80000-0x000000007526E000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1244-361-0x0000000002EE0000-0x0000000003011000-memory.dmp

memory/2732-362-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2132-384-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1896-385-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2260-387-0x00000000035D0000-0x0000000003604000-memory.dmp

memory/2260-386-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2260-388-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/2260-389-0x0000000005B40000-0x0000000005B80000-memory.dmp

memory/2260-390-0x0000000005B40000-0x0000000005B80000-memory.dmp

memory/2260-391-0x0000000074B80000-0x000000007526E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2732-397-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 016ec4de1365f456d1c88303f4cb3dd0
SHA1 dbc208a89fc1497981f8dad86baa03ab3e030f86
SHA256 b13d10af88fa8ed85fc189f39d33c7313dc59a657ec36b9c1d7229a42eb8aced
SHA512 af4f2c8dd27c74f7c76fc71447579a954f2e2b278834ba8cc28ce6592e14fdd219067958bd99b03f4b1b700354ff641e8349251a9ecba7cc1c8d83bf927d4f95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 2ea2e8d71dfade92fec1c0a9f187d944
SHA1 1fe60b8255ff220f4425e915563148175ba4bce6
SHA256 c723974fd0056025d20002b95234f66fa9243d48dbfe22a1b658b7c8a30b445d
SHA512 6311688045d3240e5402ad474532df680b9c9916a280830287e108c72e2c91f75ed0dea9cc4cf4b2a4ce0052cca4e3f195891aecde1ef869ade432cc26a1a999

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 bd808a3895c84385f92105615742e96d
SHA1 039face5d38fc531100f3fcf7a1007d172648283
SHA256 526a27b615a7c203f5b54bb0bb787b4873012495d5fd15af8b4e9da275ed4892
SHA512 4c136cb10ac576a07571f31e1ded42542220504b9e15d2d76084dee868e95a58b3c5f06f0124c82b9d2f3abfea7d29604935723b554acea24c3ea9ba52e6cc8f

C:\Users\Admin\AppData\Local\6e2a7ed4-c470-4a3b-a70c-22d5da4d2a18\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2132-425-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\744E.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1896-437-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\5DFE.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\6ADB.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 10:24

Reported

2023-08-13 10:27

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 3144 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 3144 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 3144 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe
PID 3144 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe
PID 3144 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe
PID 3144 wrote to memory of 1424 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 1424 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 3100 N/A N/A C:\Users\Admin\AppData\Local\Temp\5552.exe
PID 3144 wrote to memory of 3100 N/A N/A C:\Users\Admin\AppData\Local\Temp\5552.exe
PID 3144 wrote to memory of 3100 N/A N/A C:\Users\Admin\AppData\Local\Temp\5552.exe
PID 1424 wrote to memory of 1084 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1424 wrote to memory of 1084 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1424 wrote to memory of 1084 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5040 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5040 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\84A0.exe
PID 3144 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\84A0.exe
PID 3144 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\84A0.exe
PID 5040 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5040 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\51B6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2308 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\501F.exe C:\Users\Admin\AppData\Local\Temp\501F.exe
PID 2940 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3168 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D3C.exe
PID 3144 wrote to memory of 3168 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D3C.exe
PID 3144 wrote to memory of 3168 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D3C.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\b4d16c2fc236efc013f248a71bfae9854bd54265ed7ec7039dd3941303aa5c2cexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\501F.exe

C:\Users\Admin\AppData\Local\Temp\501F.exe

C:\Users\Admin\AppData\Local\Temp\51B6.exe

C:\Users\Admin\AppData\Local\Temp\51B6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\53F9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\53F9.dll

C:\Users\Admin\AppData\Local\Temp\5552.exe

C:\Users\Admin\AppData\Local\Temp\5552.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=51B6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff354f46f8,0x7fff354f4708,0x7fff354f4718

C:\Users\Admin\AppData\Local\Temp\84A0.exe

C:\Users\Admin\AppData\Local\Temp\84A0.exe

C:\Users\Admin\AppData\Local\Temp\501F.exe

C:\Users\Admin\AppData\Local\Temp\501F.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=51B6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff354f46f8,0x7fff354f4708,0x7fff354f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\8D3C.exe

C:\Users\Admin\AppData\Local\Temp\8D3C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10377784967619350502,15357413466276669511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\9878.exe

C:\Users\Admin\AppData\Local\Temp\9878.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\9F01.exe

C:\Users\Admin\AppData\Local\Temp\9F01.exe

C:\Users\Admin\AppData\Local\Temp\A943.exe

C:\Users\Admin\AppData\Local\Temp\A943.exe

C:\Users\Admin\AppData\Local\Temp\B337.exe

C:\Users\Admin\AppData\Local\Temp\B337.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\BCDD.exe

C:\Users\Admin\AppData\Local\Temp\BCDD.exe

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7321218498904317802,1668400733707197751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\501F.exe" & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\84A0.exe

C:\Users\Admin\AppData\Local\Temp\84A0.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\84A0.exe" & exit

C:\Users\Admin\AppData\Local\Temp\A943.exe

C:\Users\Admin\AppData\Local\Temp\A943.exe

C:\Users\Admin\AppData\Local\Temp\9F01.exe

C:\Users\Admin\AppData\Local\Temp\9F01.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\B337.exe

C:\Users\Admin\AppData\Local\Temp\B337.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\94fcc9fd-271e-43ae-af4b-c397affa015c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3100 -ip 3100

C:\Users\Admin\AppData\Local\Temp\B337.exe

"C:\Users\Admin\AppData\Local\Temp\B337.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A943.exe

"C:\Users\Admin\AppData\Local\Temp\A943.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
KR 222.236.49.123:80 colisumy.com tcp
US 8.8.8.8:53 123.49.236.222.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.128.241.8.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
KR 222.236.49.123:80 colisumy.com tcp
US 8.8.8.8:53 233.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
IE 52.211.186.134:443 mscom.demdex.net tcp
US 8.8.8.8:53 134.186.211.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
GB 88.221.134.65:443 mdec.nelreports.net tcp
GB 88.221.134.65:443 mdec.nelreports.net tcp
US 8.8.8.8:53 65.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.72.131:443 browser.events.data.microsoft.com tcp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 20.42.72.131:443 browser.events.data.microsoft.com tcp
DE 159.69.198.239:27015 159.69.198.239 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 239.198.69.159.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 159.69.198.239:27015 159.69.198.239 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp

Files

memory/856-134-0x0000000002540000-0x0000000002640000-memory.dmp

memory/856-135-0x00000000024A0000-0x00000000024A9000-memory.dmp

memory/856-136-0x0000000000400000-0x00000000022F8000-memory.dmp

memory/3144-137-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/856-138-0x0000000000400000-0x00000000022F8000-memory.dmp

memory/856-141-0x00000000024A0000-0x00000000024A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\501F.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\501F.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\51B6.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

C:\Users\Admin\AppData\Local\Temp\51B6.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

memory/5040-155-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5040-156-0x00000000005C0000-0x00000000005F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53F9.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

C:\Users\Admin\AppData\Local\Temp\5552.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\5552.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\53F9.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/1084-167-0x00000000025F0000-0x0000000002864000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53F9.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/1084-169-0x00000000025F0000-0x0000000002864000-memory.dmp

memory/1084-168-0x0000000000D60000-0x0000000000D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84A0.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\84A0.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

memory/2308-182-0x00000000034F0000-0x0000000003531000-memory.dmp

memory/2308-183-0x00000000035C0000-0x0000000003638000-memory.dmp

memory/4956-186-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\501F.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/3100-188-0x00000000033A0000-0x00000000033C9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

memory/4956-190-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3100-189-0x0000000003410000-0x000000000344F000-memory.dmp

memory/4956-184-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4956-194-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3100-193-0x0000000000400000-0x00000000018D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

\??\pipe\LOCAL\crashpad_1400_JXAPMMPGJOCFYFYE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\8D3C.exe

MD5 dd637ef7098a49cb61800e9efd85b1fc
SHA1 c290bc05fc441f1162bbc1030cde87b3dc38b9c9
SHA256 9014fe8d07e8429116fc6c8d0d55bc46773e0cd5d89271640b982eac91db19d9
SHA512 65969c48f98104ae5d15299665ef97da119b3451ea1fc89693b564273a610e419ff002036346a8aca4600d4f3f8eae564e110968209b0654b05d4435b30c9064

C:\Users\Admin\AppData\Local\Temp\8D3C.exe

MD5 dd637ef7098a49cb61800e9efd85b1fc
SHA1 c290bc05fc441f1162bbc1030cde87b3dc38b9c9
SHA256 9014fe8d07e8429116fc6c8d0d55bc46773e0cd5d89271640b982eac91db19d9
SHA512 65969c48f98104ae5d15299665ef97da119b3451ea1fc89693b564273a610e419ff002036346a8aca4600d4f3f8eae564e110968209b0654b05d4435b30c9064

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3e07abe4bdaea742624a3b6b3e7cc6b6
SHA1 47bb544027f47748d63d69742d986cd47c45ab50
SHA256 8711d7897b8eb425fc2ea375bb2940021c1bc276e89b06e598a7ffa995a4c4a5
SHA512 201cae2fee84daabd9402ddb6824b7989d5912d947c0707f3b3985b8ca6f2d4f797b6598aab0ab1bf97f88e0ad91f2530f706a5b29e7345ac3c109efb6b901c9

memory/3100-231-0x0000000074510000-0x0000000074CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 050c3c8804e162de70f9776f7e4f349e
SHA1 2b91301dbb1b6b8bda0cc63d948144800c20a014
SHA256 54b7f928ef7f44310ef87289f4cd5c032c5bd65cb278dc934aa2ab3cfb4804b2
SHA512 431ea4c00502533df9ea4922d45cd31046163cd3c3a70d257731775dc1197df3af0336d3da8e03bafeb225156abf9127c5fafbda5fb65dae751fb31f630bb3db

memory/1084-254-0x0000000002BD0000-0x0000000002CC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9878.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

C:\Users\Admin\AppData\Local\Temp\9878.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

memory/3040-258-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/3040-259-0x00000000000D0000-0x000000000018E000-memory.dmp

memory/3100-264-0x0000000003980000-0x0000000003990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F01.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\9F01.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1084-276-0x0000000002CD0000-0x0000000002DAE000-memory.dmp

memory/3100-281-0x00000000060F0000-0x0000000006694000-memory.dmp

memory/1084-280-0x0000000002CD0000-0x0000000002DAE000-memory.dmp

memory/3100-278-0x0000000003980000-0x0000000003990000-memory.dmp

memory/3100-282-0x0000000000400000-0x00000000018D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A943.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\A943.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1084-298-0x00000000025F0000-0x0000000002864000-memory.dmp

memory/1084-303-0x0000000002CD0000-0x0000000002DAE000-memory.dmp

memory/4956-305-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B337.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/3100-310-0x0000000003410000-0x000000000344F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B337.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a24d1072cd6705c219a120aa2e12691b
SHA1 2bd13f706ac70bdcea837c17639a5f83302f6923
SHA256 266a18661698cc2cb7a9f395d0b2f2e5b8368281f705a61f4d20a4b4ce67aaf7
SHA512 685f21144abef7a9055be6fcd53b93c649c1f1fcb359e10a34ec1922de6e7fea031343c0fa4192f401a6c55e7621e33bcd98bb710685eb711744e6de5018d5ee

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 050c3c8804e162de70f9776f7e4f349e
SHA1 2b91301dbb1b6b8bda0cc63d948144800c20a014
SHA256 54b7f928ef7f44310ef87289f4cd5c032c5bd65cb278dc934aa2ab3cfb4804b2
SHA512 431ea4c00502533df9ea4922d45cd31046163cd3c3a70d257731775dc1197df3af0336d3da8e03bafeb225156abf9127c5fafbda5fb65dae751fb31f630bb3db

C:\Users\Admin\AppData\Local\Temp\B337.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/3100-338-0x00000000067E0000-0x0000000006DF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

memory/3100-349-0x0000000006F30000-0x0000000006F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8caa8e809dbb78c2b8e98f5efa355ac4
SHA1 c5386547834a6b19f7ffb7592448d485f64fb57e
SHA256 ebb9501485c8a1f7107d3c4ecee4671fedd52d9f06963a4b085cc30c35c1247a
SHA512 1c1672a234755f5bce28f9510b3ae1db4847cfad81e9d8a5d1eadefdfa79401c3051efea15473f254685c2a98e87a785fa8b86cf186a3a36697cde036b21b75e

memory/3100-341-0x0000000006E00000-0x0000000006F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc
SHA1 83f8586805286b716c70ddd14a2b7ec6a4d9d0fe
SHA256 0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c
SHA512 084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

memory/3100-372-0x0000000006F50000-0x0000000006F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\BCDD.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\BCDD.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

memory/3040-383-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4844-384-0x00007FF7EC0E0000-0x00007FF7EC14A000-memory.dmp

memory/3100-382-0x0000000003980000-0x0000000003990000-memory.dmp

memory/4956-385-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4956-386-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

memory/3100-408-0x0000000074510000-0x0000000074CC0000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4956-429-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3100-439-0x0000000003980000-0x0000000003990000-memory.dmp

memory/4844-440-0x0000000002F50000-0x00000000030C1000-memory.dmp

memory/4844-441-0x00000000030D0000-0x0000000003201000-memory.dmp

memory/3100-442-0x0000000003980000-0x0000000003990000-memory.dmp

memory/3100-443-0x0000000003980000-0x0000000003990000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a24d1072cd6705c219a120aa2e12691b
SHA1 2bd13f706ac70bdcea837c17639a5f83302f6923
SHA256 266a18661698cc2cb7a9f395d0b2f2e5b8368281f705a61f4d20a4b4ce67aaf7
SHA512 685f21144abef7a9055be6fcd53b93c649c1f1fcb359e10a34ec1922de6e7fea031343c0fa4192f401a6c55e7621e33bcd98bb710685eb711744e6de5018d5ee

C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe

MD5 a76e515e1150c903070a1eb1b2d216c0
SHA1 e747dbe088744a6de47ffcc9072404bfa60545ad
SHA256 a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
SHA512 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30

C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe

MD5 a76e515e1150c903070a1eb1b2d216c0
SHA1 e747dbe088744a6de47ffcc9072404bfa60545ad
SHA256 a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
SHA512 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30

C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe

MD5 a76e515e1150c903070a1eb1b2d216c0
SHA1 e747dbe088744a6de47ffcc9072404bfa60545ad
SHA256 a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
SHA512 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30

memory/3100-470-0x0000000003980000-0x0000000003990000-memory.dmp

memory/4956-471-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4956-472-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b2e91cdd0e1c97efec540f2f60472d94
SHA1 719d6ebb5c0098733ed7acfb99909afe3d9468e2
SHA256 f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
SHA512 9b8585366912b132e4cf5dec0d0f92718fea4797d38dc61d7e2d979759afc52d064bb6dd6a0b90be32b3575855a7f0b58507e138e94d2c0ed9ad8514b84c4e3a

C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b2e91cdd0e1c97efec540f2f60472d94
SHA1 719d6ebb5c0098733ed7acfb99909afe3d9468e2
SHA256 f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
SHA512 9b8585366912b132e4cf5dec0d0f92718fea4797d38dc61d7e2d979759afc52d064bb6dd6a0b90be32b3575855a7f0b58507e138e94d2c0ed9ad8514b84c4e3a

C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b2e91cdd0e1c97efec540f2f60472d94
SHA1 719d6ebb5c0098733ed7acfb99909afe3d9468e2
SHA256 f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
SHA512 9b8585366912b132e4cf5dec0d0f92718fea4797d38dc61d7e2d979759afc52d064bb6dd6a0b90be32b3575855a7f0b58507e138e94d2c0ed9ad8514b84c4e3a

memory/3100-488-0x0000000007150000-0x00000000071C6000-memory.dmp

memory/4956-487-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3100-490-0x00000000071D0000-0x0000000007262000-memory.dmp

memory/3100-491-0x0000000007270000-0x00000000072D6000-memory.dmp

memory/4844-492-0x00000000030D0000-0x0000000003201000-memory.dmp

memory/3100-494-0x0000000007C10000-0x0000000007DD2000-memory.dmp

memory/3100-495-0x0000000007DE0000-0x000000000830C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84A0.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/4520-498-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4520-499-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4520-500-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 74f02b0dabd866a5a9d0acf005ac35e5
SHA1 cd2c4e508dccd8ed3e36b5ca2aecd4871d63169f
SHA256 5a4bd17bf2464469404ba75041aa6b465fbb6eeee2908fab9bf66e9d6b241fe5
SHA512 a37835ded8f17a80ec48bd898c67682703bcf7decf47c734d6cdc18ba19bb100019e6ed3c86fdacdb41562fbfb2a2a1bffecd9be7c1ceb52094ca8a38584f8c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

MD5 1cc039e3278abbf0e77cb25bc6d7f6ab
SHA1 dd876527942dfdd47f8950f399d67d50553fcd22
SHA256 61c32291587d3b4ac047f685a6dda602c15088e2267d57ca66cd165de0d89b04
SHA512 b02b7e1211fc3ae36a92eaef3b2eae1c166b18523a251657750c06842161f5843a6f1806cf39848af1346b558a81254982ae6ec05eb99741888465d442f7d8e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

MD5 bf7c3b4cc4179d208f4e20991b04d911
SHA1 e3e80f91b2ac3bef86effb90b83f2945ede7d3be
SHA256 8ea3fbd26213ecf233c11aec4f0b701421173c696c764427ce5de39c5c33d8e1
SHA512 20da80d8a0fef05ea4d8e2f9df998ef34f81669eb3ff9eab0f32fc8627e074b61ce4a99bc216b830016c8be80b354fc16bcfec7a920697e973571645f6a84daa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 4c1030e818c5cf3b2df578b27f80288d
SHA1 ea9d454f7a6408d1821e2a5ddaabc99f10dfc78a
SHA256 b63248329c55a2b6409f504f5b0536dc5239580048f9398f09ac3cb4d06f1e2a
SHA512 d8b46bd116360cc20e2148d542da44fab0b18972637dfbfdaf1328c24ca1a497bbf6ca32c0c3b25fb1c9d264b740ea20696f290875428c7393c1b6cf86614804

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 e8fd7c743992a173a30092c0a9a0a24a
SHA1 5e086509e4b3daacffbd5685cf74f05066278bb4
SHA256 65a1226b2ac399e933e575b5367e25f292b8606d68683f99dcf608bcefbf7259
SHA512 a931ee9c367d82e40555bf18c2afeedcb1deb8d30ccaf992f1e2842ef8c03c39213f37febfd1f26ebc1081e84f9b63903411d92187229c25f61041e2ecbefa77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 1d55bb858a659cd3d1e4fa3f78669d20
SHA1 1415c302a01b32b0d6048c910309dd60bbee8301
SHA256 5d2883b6e61dd45c68bb728ac5e7c193804b9b97936deb3cb80c5f0d93ab1eb1
SHA512 58703428cbc16e1edbc11c0344e44ddf906b891238a23f19712eae54379b2d5a874f09f280a6c95da5126f5d8292ab9d441dcaeb2e675bb7ffa5f2e8a5e7da52

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\47057422291466174780501516

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/3168-547-0x0000000001AF0000-0x0000000001B05000-memory.dmp

memory/3168-548-0x0000000001B50000-0x0000000001B59000-memory.dmp

memory/3168-549-0x0000000000400000-0x00000000018C2000-memory.dmp

C:\ProgramData\97168294267303956298048453

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/4520-558-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3100-559-0x0000000008490000-0x00000000084E0000-memory.dmp

memory/4520-563-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3168-567-0x0000000000400000-0x00000000018C2000-memory.dmp

memory/4364-568-0x0000000003460000-0x00000000034F1000-memory.dmp

memory/4364-569-0x0000000003640000-0x000000000375B000-memory.dmp

memory/3468-570-0x0000000003500000-0x0000000003591000-memory.dmp

memory/5112-576-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2212-578-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1156-583-0x0000000000400000-0x0000000000537000-memory.dmp