Malware Analysis Report

2025-06-16 02:08

Sample ID 231002-h85svahg64
Target file
SHA256 0278cd0d16def73d5d75106ad62ca0d62eadc9b511c59f7c5bbb68c1b0befda8
Tags
amadey glupteba healer mystic redline smokeloader @ytlogsbot up3 backdoor dropper evasion infostealer loader persistence stealer trojan dcrat fabookie genda larek discovery rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0278cd0d16def73d5d75106ad62ca0d62eadc9b511c59f7c5bbb68c1b0befda8

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey glupteba healer mystic redline smokeloader @ytlogsbot up3 backdoor dropper evasion infostealer loader persistence stealer trojan dcrat fabookie genda larek discovery rat spyware

Mystic

Glupteba

Glupteba payload

Detect Fabookie payload

Modifies Windows Defender Real-time Protection settings

RedLine payload

Fabookie

Healer

RedLine

DcRat

Detects Healer an antivirus disabler dropper

Amadey

SmokeLoader

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-02 07:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 07:25

Reported

2023-10-02 07:27

Platform

win7-20230831-en

Max time kernel

37s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\BCD9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 276 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 2484 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2444 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 2612 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 276 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1228 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe
PID 1144 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 1144 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 1144 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 1144 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 1144 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\BCD9.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 276 -s 284

C:\Users\Admin\AppData\Local\Temp\BCD9.exe

C:\Users\Admin\AppData\Local\Temp\BCD9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\BFA8.exe

C:\Users\Admin\AppData\Local\Temp\BFA8.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 132

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\C110.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\C3DE.exe

C:\Users\Admin\AppData\Local\Temp\C3DE.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\C797.exe

C:\Users\Admin\AppData\Local\Temp\C797.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 280

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\CE6B.exe

C:\Users\Admin\AppData\Local\Temp\CE6B.exe

C:\Users\Admin\AppData\Local\Temp\D7AF.exe

C:\Users\Admin\AppData\Local\Temp\D7AF.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\E92E.exe

C:\Users\Admin\AppData\Local\Temp\E92E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-P4NIN.tmp\is-0ES0R.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P4NIN.tmp\is-0ES0R.tmp" /SL4 $10252 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {F8C6C6E8-C7EC-48C4-8791-127E176C5327} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231002072700.log C:\Windows\Logs\CBS\CbsPersist_20231002072700.cab

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 fbcdn.net udp
US 2.18.121.70:80 apps.identrust.com tcp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
MD 176.123.4.46:33783 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 6aa1cb4e-91d6-4055-974d-59662f9bfaff.uuid.ramboclub.net udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

MD5 61841312daa6742993b4126d3ae4f167
SHA1 233d112a31030e6c3093af86d0f461d15fd9c341
SHA256 851fcac47381d066915761750df5ccf83d493c597fc60ec9dcf65bba16e0c806
SHA512 b261afce2247b3e5aeb49f4956dddb6204adf370be5b57fe4f33e8e3b3c054aad1713c8ef6829d2bed08953d14fc89720f1d2f69d0ce924788a8ece67206a38f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

MD5 61841312daa6742993b4126d3ae4f167
SHA1 233d112a31030e6c3093af86d0f461d15fd9c341
SHA256 851fcac47381d066915761750df5ccf83d493c597fc60ec9dcf65bba16e0c806
SHA512 b261afce2247b3e5aeb49f4956dddb6204adf370be5b57fe4f33e8e3b3c054aad1713c8ef6829d2bed08953d14fc89720f1d2f69d0ce924788a8ece67206a38f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

MD5 61841312daa6742993b4126d3ae4f167
SHA1 233d112a31030e6c3093af86d0f461d15fd9c341
SHA256 851fcac47381d066915761750df5ccf83d493c597fc60ec9dcf65bba16e0c806
SHA512 b261afce2247b3e5aeb49f4956dddb6204adf370be5b57fe4f33e8e3b3c054aad1713c8ef6829d2bed08953d14fc89720f1d2f69d0ce924788a8ece67206a38f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

MD5 61841312daa6742993b4126d3ae4f167
SHA1 233d112a31030e6c3093af86d0f461d15fd9c341
SHA256 851fcac47381d066915761750df5ccf83d493c597fc60ec9dcf65bba16e0c806
SHA512 b261afce2247b3e5aeb49f4956dddb6204adf370be5b57fe4f33e8e3b3c054aad1713c8ef6829d2bed08953d14fc89720f1d2f69d0ce924788a8ece67206a38f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

MD5 b706493ed4d8b02a37d591adb06d73d9
SHA1 cb9dcff12282d4699784d4e4f72809cc4dabab03
SHA256 344d6421de7f538849e61df2abc739f19d09dbc3807c26e0d0ec2a4a2d5153ce
SHA512 7f7061fda4ae4a460d08a2182a1abdf40f4f5c26684d63b5b22055859be16163070665f66d0f9895549fddf12607b2b06008d229dc6b79eda1d8023286a8ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

MD5 b706493ed4d8b02a37d591adb06d73d9
SHA1 cb9dcff12282d4699784d4e4f72809cc4dabab03
SHA256 344d6421de7f538849e61df2abc739f19d09dbc3807c26e0d0ec2a4a2d5153ce
SHA512 7f7061fda4ae4a460d08a2182a1abdf40f4f5c26684d63b5b22055859be16163070665f66d0f9895549fddf12607b2b06008d229dc6b79eda1d8023286a8ee71

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

MD5 b706493ed4d8b02a37d591adb06d73d9
SHA1 cb9dcff12282d4699784d4e4f72809cc4dabab03
SHA256 344d6421de7f538849e61df2abc739f19d09dbc3807c26e0d0ec2a4a2d5153ce
SHA512 7f7061fda4ae4a460d08a2182a1abdf40f4f5c26684d63b5b22055859be16163070665f66d0f9895549fddf12607b2b06008d229dc6b79eda1d8023286a8ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

MD5 b706493ed4d8b02a37d591adb06d73d9
SHA1 cb9dcff12282d4699784d4e4f72809cc4dabab03
SHA256 344d6421de7f538849e61df2abc739f19d09dbc3807c26e0d0ec2a4a2d5153ce
SHA512 7f7061fda4ae4a460d08a2182a1abdf40f4f5c26684d63b5b22055859be16163070665f66d0f9895549fddf12607b2b06008d229dc6b79eda1d8023286a8ee71

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

MD5 5af6cda954aedb3576dfefc7a4fb7867
SHA1 8727aa8ee58833ea241d484cd5931339bd2e9adb
SHA256 9f77e2c85eefacf19de48d05416a98ab2c5544e8481e4bb851e4a92705d3b75c
SHA512 6cdd491eaf37a9ff178232bd3fdddeaf7c93c095a515fa6da94b85596d18f76f7eadf5b9873422694d3d2476f41de6b8e2a0ba4e314b62eb16036ed133091790

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

MD5 5af6cda954aedb3576dfefc7a4fb7867
SHA1 8727aa8ee58833ea241d484cd5931339bd2e9adb
SHA256 9f77e2c85eefacf19de48d05416a98ab2c5544e8481e4bb851e4a92705d3b75c
SHA512 6cdd491eaf37a9ff178232bd3fdddeaf7c93c095a515fa6da94b85596d18f76f7eadf5b9873422694d3d2476f41de6b8e2a0ba4e314b62eb16036ed133091790

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

MD5 5af6cda954aedb3576dfefc7a4fb7867
SHA1 8727aa8ee58833ea241d484cd5931339bd2e9adb
SHA256 9f77e2c85eefacf19de48d05416a98ab2c5544e8481e4bb851e4a92705d3b75c
SHA512 6cdd491eaf37a9ff178232bd3fdddeaf7c93c095a515fa6da94b85596d18f76f7eadf5b9873422694d3d2476f41de6b8e2a0ba4e314b62eb16036ed133091790

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

MD5 5af6cda954aedb3576dfefc7a4fb7867
SHA1 8727aa8ee58833ea241d484cd5931339bd2e9adb
SHA256 9f77e2c85eefacf19de48d05416a98ab2c5544e8481e4bb851e4a92705d3b75c
SHA512 6cdd491eaf37a9ff178232bd3fdddeaf7c93c095a515fa6da94b85596d18f76f7eadf5b9873422694d3d2476f41de6b8e2a0ba4e314b62eb16036ed133091790

\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

MD5 d0ca53edd2573f99ec6b54e391860a7e
SHA1 3f0dd462e293e2bb7bf12c79b1ac32ec00c774e7
SHA256 3939112be72ceafe74305a47754cb2e48b3ebce12068a8fa6d549180ab234f19
SHA512 74d07cdd3c95de593c15e925a6cf38be06b6b14dc47feeedb207b3a0fc69d563f4e5c046c05679331e3d9762197c32432b15f859e4e9ad795c0e3d4c6726b6d0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

MD5 d0ca53edd2573f99ec6b54e391860a7e
SHA1 3f0dd462e293e2bb7bf12c79b1ac32ec00c774e7
SHA256 3939112be72ceafe74305a47754cb2e48b3ebce12068a8fa6d549180ab234f19
SHA512 74d07cdd3c95de593c15e925a6cf38be06b6b14dc47feeedb207b3a0fc69d563f4e5c046c05679331e3d9762197c32432b15f859e4e9ad795c0e3d4c6726b6d0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

MD5 d0ca53edd2573f99ec6b54e391860a7e
SHA1 3f0dd462e293e2bb7bf12c79b1ac32ec00c774e7
SHA256 3939112be72ceafe74305a47754cb2e48b3ebce12068a8fa6d549180ab234f19
SHA512 74d07cdd3c95de593c15e925a6cf38be06b6b14dc47feeedb207b3a0fc69d563f4e5c046c05679331e3d9762197c32432b15f859e4e9ad795c0e3d4c6726b6d0

memory/2744-38-0x0000000000F80000-0x0000000000F8A000-memory.dmp

memory/2744-39-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2744-40-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2744-41-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

memory/2556-51-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2556-53-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2556-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2556-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2556-55-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

memory/1228-60-0x0000000002A90000-0x0000000002AA6000-memory.dmp

memory/2556-61-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCD9.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

\Users\Admin\AppData\Local\Temp\BCD9.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\BCD9.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\BFA8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\BFA8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\C110.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

\Users\Admin\AppData\Local\Temp\BFA8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\BFA8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

\Users\Admin\AppData\Local\Temp\BFA8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\BFA8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\C110.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\C3DE.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\C3DE.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

\Users\Admin\AppData\Local\Temp\C3DE.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

\Users\Admin\AppData\Local\Temp\C3DE.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\C3DE.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\C3DE.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

memory/1060-197-0x0000000000E30000-0x0000000000E3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C797.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1060-198-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C797.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\C797.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\CabD05A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarD4F0.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbb0f2de0041bdc35a4f125022444d2e
SHA1 d5632abc249e9b64519842ca231ec7664ff3f2ff
SHA256 8ab8100b899d3e3f34707f57dd8b4f872bd98d180cc37c0b0c8ad8ba795eb02c
SHA512 036bae469226f9d3d1afd6effa63746c64b92ee47d415dca32d960fe66899bea95099c709f263cddd0bce69ed40d5029c33a7f257c785c8a59fc42482d440bf6

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/1944-268-0x00000000FFCE0000-0x00000000FFD4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/1032-282-0x00000000044E0000-0x00000000048D8000-memory.dmp

memory/2988-295-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1888-294-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1032-299-0x00000000048E0000-0x00000000051CB000-memory.dmp

memory/1032-298-0x00000000044E0000-0x00000000048D8000-memory.dmp

memory/1888-309-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1888-297-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2988-293-0x0000000002710000-0x0000000002810000-memory.dmp

memory/476-312-0x0000000000D10000-0x0000000000E84000-memory.dmp

memory/2704-322-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2704-324-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2704-328-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2704-330-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2288-331-0x0000000000300000-0x00000000004BD000-memory.dmp

memory/2704-332-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1060-333-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90efc6fe67f16b2ddc0905b1400c5394
SHA1 4d7422d7de20d1c738971fd87378af437fd2fd77
SHA256 022587b97059a5dd4f9065a17b0b682c546a82332600057cde452d5d6a7f42d0
SHA512 17a8a69851c43a78145d366b3f1cf83861bf8925575433b573e857a7cb994e962f55a1e5eb766b45766002ba7e9575da1ae0dbeebc657fcd99a2e9e13b12901a

memory/1228-345-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

memory/1888-346-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2704-352-0x0000000000370000-0x0000000000376000-memory.dmp

memory/376-434-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2516-446-0x0000000000890000-0x0000000000898000-memory.dmp

memory/476-516-0x0000000070BD0000-0x00000000712BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPR9MST4\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/2936-628-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/2888-671-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39ef7dbc8bc8a238fc1ad368823c3297
SHA1 f8b98877e6a0b15c1dae7bdbe92fbd42a643d31b
SHA256 b4560fd2ae0df432b13590800e0668002084febbb847276cc4687f7d3798382e
SHA512 c7e2df22a08e8b10366d65784bfb10c3b74e1e29563d490ba1eda2d9d076315b3eee73cf5748595c8987ea1ff98bd255638ba15b39b13304cf5c655708ef8958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a847871c65cafb6cfc54160d2735c665
SHA1 8110b67d8a3899205d00d63d701cb32bd3cec5c8
SHA256 3fb0e9d05dfb42342d00b0e7957f388e2d6af65646dcddf4bf4932bf9e5856fe
SHA512 1664e2650872bfe5699f18ae9b177c8082ccb1eb831a8d2d70814f43f4cf908e1944f5f733fff5338a738f90cc020a58170e8f32ed669958b6c24d5d03d98e7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cdddd2be8d3cdebf9273f1c80af6ee8
SHA1 5c7bc0683761980cf3d348d4291e634629f2413a
SHA256 dfc75a10041b508d659a2f5f78acf9beb8a3adb8fc32394e61236d40671c3584
SHA512 b85e576b2f311d3fcb5ec4d90fc7e2a1386813f5288978f805319251b04de7e73609799e19dea3188cec9df375d20a03b0d8fe8270cce1d42fa85b4ddd9f30ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c65fc5f2726e06f442c103cf3b3ceee2
SHA1 95ecde916f2f23834daf01952dd798db2bccbcec
SHA256 cbf98ac71db703862c0d5e9c0c08ea0128c6d17309bf541bd4d6245480ee306b
SHA512 bbe99f7ac8e247657a8e928c2a9878de43f789bfffd72a171d0ce59f8de411794e0527dc37df1f66c38f6febb28234e8141754dad8a388009bfa74f233511d5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a72b2eed755846c726632dd60cc0d9e7
SHA1 4aae8d251f6f819ae1c5804b2649ed2906860fde
SHA256 7362b0eade2383682bf73c44aa71a9d6f046b8e38d1ce53904f293609ea7ea4d
SHA512 6bd8babe61714a444d110831572260894cebe5cafb8f9ed1c89968e3c263c3794885974fe5a7b5b6fdbb93bc8151dc5b30fc10370f709e3144aeb9af8868c43c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2846a2c44efbe0ede1fc8f3130756e63
SHA1 0e63fd79bd66c2be582f0fddbe5daf2aa8fefb54
SHA256 de7d825cfe9fbc1f4b29ac995040cf1267a6f746b01f7bf7cd866b2a416b5fc3
SHA512 962cf80d15d46c3a96ad4382c6bbe7a7cdb6aa6f7b9de413ba818860a020ff033db55bdac1c00e48edf03d7cd8a39f34938bc67fc30e7cf60df03c5708dd14b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8547e2ea7fd70a48c3167ea776ce45e3
SHA1 d130769aebbe35219be16168307cce109474fb42
SHA256 bcc997ec388c6669a448655e168e6e84534fc696ecc7fe0dd3b81c90ba88578e
SHA512 f5ca17880dd44c31d8f2bb2bd2e36613014fc631a005e7011d2925dde85ede6ddf51961ae275afcdae8a5cad0a0c1252df392d15319aade2a747464330c92b2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed5d2f6e6930ee4cb8fcbfe6e2c81712
SHA1 c7622ca7494c9ccde09b66ff24c9b0417000a798
SHA256 3f083556f564cdf05363151a0e59543154f9294cff206e06b495b23da474fc3a
SHA512 b5ff6a6e15fbfc3d88919bb008e6d47f658f64d6fab0d2cd88c5a112b82fdfce5ed2ee0c264ea4a958dc385054b964c87429fe7f33ea69c0cfd04522a0f3cdbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8301600504b0dba9db052987246ab0b2
SHA1 2217437b872cea4a68b08494c1e0353ef2df2347
SHA256 88ca234c816c101b89664c473eac9b212356191c0f1ee515dea5a27059cc40d3
SHA512 3216a1c41535f6af4e5d9f39dadc53763d504f7ca314cfd488135d53bf495709c74ec3cfa47df09da58c5a1fe5b44ad2b0aea72e701efd48752ff61367d1cb53

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2704-1151-0x0000000070BD0000-0x00000000712BE000-memory.dmp

memory/1376-1152-0x0000000004420000-0x0000000004818000-memory.dmp

memory/1032-1153-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1032-1154-0x00000000048E0000-0x00000000051CB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 030cfbee8e18ba303ba60c85727e18a0
SHA1 aed00cf0d18e4a6b62e753d1b4a4d253ed756bc0
SHA256 2f9185fa05e4e33542090cb3316f787a6abd71def639e656ce09ddfe74ae362e
SHA512 fa9c1c73b8b82793e97506c5230a0ad2a71bacb1f9b07d15b3f5287c23a2150246f74782743f198957c9f7405d063d960527c4f9a518f9ce72f8723620197c0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 826e8a15ddae5bd081248ab2180c409f
SHA1 ac42cb2d85e9404d339890a68abbb298b81a7ded
SHA256 5a69845199b585f299cc8fe53c658643ac1df066b0c8eebb8bb847a59a16a1e9
SHA512 81960c221af2fe2e6ed8416076dd16b023b5725107aade7bcd864c436fa321b48da6cc375eea00d5d6bb18e9debe96c387992ea47e3daa622c074ed59ab99860

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 127855ad2aa25f3aa8511b384edc54ee
SHA1 36cdc18683abf59709e5d4dce48e828d571eecd4
SHA256 e36aaf7b307406ae1ab67ef55fefcb8fc5c5b05fb632aead996e38102a84378d
SHA512 99e22df44bf3a3fe704eb5fff961b327d0a3158986aacbd434a3fa91591688ddfe88b65776b5393464b1c26999f5b8a8f5538eb69a8263024c13e2a4c64a0589

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15545b38cf87c67c7e76f057e8ed71b7
SHA1 01a6c2914544c91d6fe57b12075dc168a2543588
SHA256 6c8c7f37959d8069356812434599dfdd0d844ea8b7ab676b8e6c4cf0b6686f0c
SHA512 2cc37c908a74bfd61ce1061e4d764bc038e82cdd3799565b6d14d49b4e28b9118628b70f59bf20927817738982bdb78bed92361333500c293aacaaa86c22b341

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 049fc2556fc843acf5bd7df9f7adc47e
SHA1 472f397c7e8bdf94dd6930ab55e4398b9e387bf1
SHA256 ff6002b625406ed50bb8ae7c4473ae5eb34f2278d344f465eba525e4ceee7d94
SHA512 62583ba91efb730c46d53547363d6c0a45aab03f456e7db25125fea896dc4c70fa02d5d95fa4a8987edafdd5c473beb8300b7156888690773eebb714048c9da4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 029f4fb1d8a165eefb5aa2ef0149ae2c
SHA1 f7e215672fdf2627f83be772ed3f0c68608cbc9b
SHA256 156685e5c6133ad00a025353a815be40d211fc8d8763add8ae3300460777ca98
SHA512 5c005838a83471754fb363977b428ff28d491b61780d374921d298e8622558282ac7717781fa8891249d721cb73ba73cf5384a0f5fbc5ff2cb7a4a1919d9ef9a

memory/2940-1365-0x0000000004420000-0x0000000004818000-memory.dmp

memory/1376-1364-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1376-1366-0x0000000004420000-0x0000000004818000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ebba560704a00ffe507ebb331ac475b
SHA1 0449f40fc4097b5b0add4f87d950bff1c160a6cc
SHA256 edd6c688cc8d97ee1d42b7fa3c90b9d93f1640bb3e33293fb8f1889d66439d7e
SHA512 7af1acd7cf03f679b61f5021e9c4269b0c7f595f4c9c0372e80bc4f8010e9bee98da771c86f3e61ffcac0037fb7c7a7a8803dc8c976070e8d324a9443a21c362

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c71ecfc600dd1eb7eeb24ef2744da85
SHA1 2076f955117d7be1187760d88d9925e42707eb3a
SHA256 14421fd7f435fc73aceb9ded6911b66f46bcd6c07f22915335601f29931ed9ba
SHA512 5ba227d289c29f97322e3d84d7e5551a5e6551fb9a4cefd1c8b6ffa85cbf21d370247c92340f8d0ecccaa931e19a1cff72d688b50d0fc5bb2eaa088dd69bd074

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7f7620731c6a15622068cb24d15a9f5
SHA1 4985d7d2be11200e79d687c75d22d20b09177426
SHA256 2026758cf42b0b0d7ddf2ecfcfaa95947f9700c0785c55645e70bcbefdfa8b23
SHA512 6a66e03ac4d7d27a7634256e471645c3d58de3bc477315aaf56ab3afd23106f2a9b0dd480eece700730ff596fc618c016c1d4e6a55cbe16a2578a5a1a82d044e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ad05fe6e4e8bf41364ee7078522dc5c
SHA1 a785d4d5b7189cd0fb5a91e93b0ee61d2d87b8c1
SHA256 792420835a50a3cbd82fa2fd0ed298b872ef5b9e636968e14188bfcc35188a46
SHA512 65f7195ca9661ab751f599eb082be6e5af47523326e58fc3cc2cc19341119437f08ccfe5ad077dd1b8fca7b5be82315b6c48dbf12403e7c769c22d0b1edd5b86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47d129bdfd4f3c3e2d5fcfff7ceb46c9
SHA1 4d2644f93ebbe7f81e0df791083e8a0e152f9fdd
SHA256 e9670d45fd93f20692eac4556cffe70873fc9dd7c1a2917bf93245af02a11087
SHA512 6f5ab3662adedfb23afc661b0e8fef59c708d0af874f93f86ddff3dd001b530d2d4fc224c6667d5dc69afd8fb46224f8bfaa76ab5ed17a2b95d0171ae5fac7e8

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2888-1735-0x0000000002190000-0x00000000021D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-02 07:25

Reported

2023-10-02 07:28

Platform

win10v2004-20230915-en

Max time kernel

124s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\6178.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\6178.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\6178.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\6178.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\6178.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63EA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\89C3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5BF6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D4F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IM2ly51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89C3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6178.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63EA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Jn21gx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LI279Qb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lj226Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89C3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94A2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\6178.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN4Tk4cT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5BF6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cY6Eg9xY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-RG2LV.tmp C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-0UBCH.tmp C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-AL2G1.tmp C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-6TGFQ.tmp C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6178.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 1780 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 1780 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe
PID 5036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 5036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 5036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe
PID 1592 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 1592 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 1592 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe
PID 4668 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 4668 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe
PID 4668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 4668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 4668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe
PID 4252 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe
PID 1592 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe
PID 1592 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 400 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5036 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe
PID 5036 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe
PID 5036 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3672 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe
PID 1780 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe
PID 1780 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe
PID 3120 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3120 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3120 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3120 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1388 wrote to memory of 248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1388 wrote to memory of 248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2280 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1920 -ip 1920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FAB.tmp\FAC.tmp\FAD.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffa251a46f8,0x7ffa251a4708,0x7ffa251a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa251a46f8,0x7ffa251a4708,0x7ffa251a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15336850210744394086,16584597969539712707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15336850210744394086,16584597969539712707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\5BF6.exe

C:\Users\Admin\AppData\Local\Temp\5BF6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\5D4F.exe

C:\Users\Admin\AppData\Local\Temp\5D4F.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cY6Eg9xY.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5EC7.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\60CB.exe

C:\Users\Admin\AppData\Local\Temp\60CB.exe

C:\Users\Admin\AppData\Local\Temp\6178.exe

C:\Users\Admin\AppData\Local\Temp\6178.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5396 -ip 5396

C:\Users\Admin\AppData\Local\Temp\63EA.exe

C:\Users\Admin\AppData\Local\Temp\63EA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LI279Qb.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5700 -ip 5700

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 136

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6044 -ip 6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa251a46f8,0x7ffa251a4708,0x7ffa251a4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lj226Mc.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lj226Mc.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa251a46f8,0x7ffa251a4708,0x7ffa251a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\89C3.exe

C:\Users\Admin\AppData\Local\Temp\89C3.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\927E.exe

C:\Users\Admin\AppData\Local\Temp\927E.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\94A2.exe

C:\Users\Admin\AppData\Local\Temp\94A2.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5732 -ip 5732

C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UVQMC.tmp\is-2IOS0.tmp" /SL4 $140046 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 792

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10525181659715286306,17091382771932955442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 170.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 4fed3650-e1d4-4854-850c-585e23ab3c42.uuid.ramboclub.net udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server16.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

MD5 61841312daa6742993b4126d3ae4f167
SHA1 233d112a31030e6c3093af86d0f461d15fd9c341
SHA256 851fcac47381d066915761750df5ccf83d493c597fc60ec9dcf65bba16e0c806
SHA512 b261afce2247b3e5aeb49f4956dddb6204adf370be5b57fe4f33e8e3b3c054aad1713c8ef6829d2bed08953d14fc89720f1d2f69d0ce924788a8ece67206a38f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ay6lL22.exe

MD5 61841312daa6742993b4126d3ae4f167
SHA1 233d112a31030e6c3093af86d0f461d15fd9c341
SHA256 851fcac47381d066915761750df5ccf83d493c597fc60ec9dcf65bba16e0c806
SHA512 b261afce2247b3e5aeb49f4956dddb6204adf370be5b57fe4f33e8e3b3c054aad1713c8ef6829d2bed08953d14fc89720f1d2f69d0ce924788a8ece67206a38f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

MD5 b706493ed4d8b02a37d591adb06d73d9
SHA1 cb9dcff12282d4699784d4e4f72809cc4dabab03
SHA256 344d6421de7f538849e61df2abc739f19d09dbc3807c26e0d0ec2a4a2d5153ce
SHA512 7f7061fda4ae4a460d08a2182a1abdf40f4f5c26684d63b5b22055859be16163070665f66d0f9895549fddf12607b2b06008d229dc6b79eda1d8023286a8ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ry5ac36.exe

MD5 b706493ed4d8b02a37d591adb06d73d9
SHA1 cb9dcff12282d4699784d4e4f72809cc4dabab03
SHA256 344d6421de7f538849e61df2abc739f19d09dbc3807c26e0d0ec2a4a2d5153ce
SHA512 7f7061fda4ae4a460d08a2182a1abdf40f4f5c26684d63b5b22055859be16163070665f66d0f9895549fddf12607b2b06008d229dc6b79eda1d8023286a8ee71

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

MD5 5af6cda954aedb3576dfefc7a4fb7867
SHA1 8727aa8ee58833ea241d484cd5931339bd2e9adb
SHA256 9f77e2c85eefacf19de48d05416a98ab2c5544e8481e4bb851e4a92705d3b75c
SHA512 6cdd491eaf37a9ff178232bd3fdddeaf7c93c095a515fa6da94b85596d18f76f7eadf5b9873422694d3d2476f41de6b8e2a0ba4e314b62eb16036ed133091790

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sr4xY60.exe

MD5 5af6cda954aedb3576dfefc7a4fb7867
SHA1 8727aa8ee58833ea241d484cd5931339bd2e9adb
SHA256 9f77e2c85eefacf19de48d05416a98ab2c5544e8481e4bb851e4a92705d3b75c
SHA512 6cdd491eaf37a9ff178232bd3fdddeaf7c93c095a515fa6da94b85596d18f76f7eadf5b9873422694d3d2476f41de6b8e2a0ba4e314b62eb16036ed133091790

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

MD5 d0ca53edd2573f99ec6b54e391860a7e
SHA1 3f0dd462e293e2bb7bf12c79b1ac32ec00c774e7
SHA256 3939112be72ceafe74305a47754cb2e48b3ebce12068a8fa6d549180ab234f19
SHA512 74d07cdd3c95de593c15e925a6cf38be06b6b14dc47feeedb207b3a0fc69d563f4e5c046c05679331e3d9762197c32432b15f859e4e9ad795c0e3d4c6726b6d0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0004180.exe

MD5 d0ca53edd2573f99ec6b54e391860a7e
SHA1 3f0dd462e293e2bb7bf12c79b1ac32ec00c774e7
SHA256 3939112be72ceafe74305a47754cb2e48b3ebce12068a8fa6d549180ab234f19
SHA512 74d07cdd3c95de593c15e925a6cf38be06b6b14dc47feeedb207b3a0fc69d563f4e5c046c05679331e3d9762197c32432b15f859e4e9ad795c0e3d4c6726b6d0

memory/3952-28-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

memory/3952-29-0x00007FFA24FC0000-0x00007FFA25A81000-memory.dmp

memory/3952-31-0x00007FFA24FC0000-0x00007FFA25A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\8620214.exe

MD5 5eb083e864de9176aef7782341c8f7cd
SHA1 83ac8880ce41c4ca35cba91a5ccc6d14d0e90d13
SHA256 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
SHA512 e285590fa81b66b9cc7f8ff1804ace3803659b89e5f68b6edfbd793977838f0a5d9b83ddd29c1991832218bbd2fece24b307f696c26bb5e419fd36307619957e

memory/4168-35-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4168-36-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe

MD5 834d615f463f293bce13357a6dc509ae
SHA1 0abb45ba1d8e9a7d858db3dfac4c7097551b0b77
SHA256 6dcea16ada6ebb3e334ee94ed52d85e139ca06496de1e6b8da320a9f1b762e25
SHA512 1a49d0de326004b8e66484c7b034781605ae3946402b15f382e6c1150ae5f96b6130b3e5f163072a032b96223ac37b945c0e3d76693f1af21392f39ceb656c74

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq80FT3.exe

MD5 834d615f463f293bce13357a6dc509ae
SHA1 0abb45ba1d8e9a7d858db3dfac4c7097551b0b77
SHA256 6dcea16ada6ebb3e334ee94ed52d85e139ca06496de1e6b8da320a9f1b762e25
SHA512 1a49d0de326004b8e66484c7b034781605ae3946402b15f382e6c1150ae5f96b6130b3e5f163072a032b96223ac37b945c0e3d76693f1af21392f39ceb656c74

memory/1920-40-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1920-41-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1920-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1920-44-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe

MD5 fac2a62a7ac2bdb7ca84bd505d29a72e
SHA1 a35e400030ff0d25096e347916d053ad6f74b9e3
SHA256 d70c1d81046d4de5bd5077d6eda5561ac862da802aff5383bbf909661a7b8cef
SHA512 dcbb5ba644ab0b1ecea20e250c37547eb1f511e87333f917eacab43b2a851c64e1b45c4833739924f3ae8f4c6ea7a75f8ed889c059c8178520c1df665fe99bf5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx387MX.exe

MD5 fac2a62a7ac2bdb7ca84bd505d29a72e
SHA1 a35e400030ff0d25096e347916d053ad6f74b9e3
SHA256 d70c1d81046d4de5bd5077d6eda5561ac862da802aff5383bbf909661a7b8cef
SHA512 dcbb5ba644ab0b1ecea20e250c37547eb1f511e87333f917eacab43b2a851c64e1b45c4833739924f3ae8f4c6ea7a75f8ed889c059c8178520c1df665fe99bf5

memory/4168-50-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2624-48-0x00000000030A0000-0x00000000030B6000-memory.dmp

memory/392-52-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zIR4cS5.exe

MD5 74382ae3fbf697a0e1a7148a3a73f2b9
SHA1 49ca121aca985e9d57d9806106c6bc8c19bfc6cf
SHA256 bbaaf3ebdf3226d835973f3f58d8e9471f27bfb1976b4d11ed8ef216bff59bdf
SHA512 13ac5423e4c41e46de440827f58f812d4013af8f5768f40116b2da5c7ded0ef58096410dd58a49115d729f0bdb63ad72d073ccb861889fe6cefd1537c9f014ba

memory/392-55-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/392-56-0x0000000008110000-0x00000000086B4000-memory.dmp

memory/392-57-0x0000000007C00000-0x0000000007C92000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 451fddf78747a5a4ebf64cabb4ac94e7
SHA1 6925bd970418494447d800e213bfd85368ac8dc9
SHA256 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d
SHA512 edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/392-71-0x0000000007D60000-0x0000000007D70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_2280_SLATRLGTVZWIMDHU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1388_ABMPPEOGIRIQTZML

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/392-84-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8a321e89cf3f961a8c1b1e693cc8af5d
SHA1 4884f322f8b304d12be39d93486926d688ac27ff
SHA256 a3e12d6c04843de3c981bb62f677c881239cbde0d33b315eefbab87f2fa980f3
SHA512 3f374119283bdae71a4df2ab9b627c6ad21954c61b08a3d40b8eb5d29fe1bcf2ef8524f6958356142903142d918ae6d1a07634d72e588c1259479196c4a8fa69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 84b59dbd323eb97ac83b8fcad9f88409
SHA1 014a432f6f4c486e28a2a512b3b1de59a4f97d91
SHA256 b0dcefc1cbfe69b1d230bfc4bba4002c4c9b673c2795e9ad69386d3d3e33ab8a
SHA512 2e629a1f3be7fb46fe2c32f0ff0ff24cd455f9da8d2627c21bff9dfd4a49bca837d2ee6c7c06e3d1d411d97712cc135fb5b2c5a50a37115dd437ca3983c376d4

memory/392-133-0x0000000008CE0000-0x00000000092F8000-memory.dmp

memory/392-157-0x00000000086C0000-0x00000000087CA000-memory.dmp

memory/392-161-0x0000000007E90000-0x0000000007EA2000-memory.dmp

memory/392-185-0x0000000007EF0000-0x0000000007F2C000-memory.dmp

memory/392-189-0x0000000007F70000-0x0000000007FBC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/392-218-0x0000000073D50000-0x0000000074500000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8a321e89cf3f961a8c1b1e693cc8af5d
SHA1 4884f322f8b304d12be39d93486926d688ac27ff
SHA256 a3e12d6c04843de3c981bb62f677c881239cbde0d33b315eefbab87f2fa980f3
SHA512 3f374119283bdae71a4df2ab9b627c6ad21954c61b08a3d40b8eb5d29fe1bcf2ef8524f6958356142903142d918ae6d1a07634d72e588c1259479196c4a8fa69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8515a33bf21f6261a027c36cec4b73c6
SHA1 8b595347837b9a9eaa222db01a231e07162dabf6
SHA256 b6df8f05f11d67a77e6c24db86a53b6d8dba2cdbb84616c9c6849a475fd3d2d1
SHA512 56191d1d8b1d743b3e833f5fdcb311a7006356806331fcef4e496f74eb549a5740a17d316f76be1c8f8afd4e5a04c401bc652a96dd7e3f49d829ac95fbbde588

memory/392-232-0x0000000007D60000-0x0000000007D70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 53e39e02405045652df066e71db06689
SHA1 a6db7d6265b474dea4ab7e1565a732e15ea03070
SHA256 38cd07221c3b8e1e0569e0476e8d5aded3be08489d456ad080a8dbcbfec62c8e
SHA512 5819a1df00a5119dfeab976aa4115eb8acaf9b501921f2d3f9518d78d948fa5ca5a66f525ce87c920e06e922c12db1da540a8e9bb72ac2a43a313f8df7270805

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

C:\Users\Admin\AppData\Local\Temp\5BF6.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\5BF6.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zYV35OO.exe

MD5 1cc82a989aa185bc3ec20ac7c0f5b2bd
SHA1 cc9f19e35e75ca0ad8509393c03812a4d4495f6a
SHA256 fd5ca9431ede48010e4043f6d1ec3377584f332bbf4f5040ca2352af5e8834f5
SHA512 12d338e13539b137bd8446d8d4526194296295ff1c55cb6ff943ead716a8334c8ed7c6fad52f64873bc2448b08f3aa692998b994075c0c7466662caa41c26c63

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\5D4F.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\5D4F.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\60CB.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\6178.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\6178.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\6178.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5784-311-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60CB.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

memory/5756-314-0x00007FFA21D50000-0x00007FFA22811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5EC7.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/5784-316-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63EA.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\63EA.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/5784-313-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a42bd484f434c7fd4f1842765d355777
SHA1 3bb356816211f829b4971081a0a5183cba6cfda2
SHA256 2660006fa5727512c3b1f8a574b9554fd636f60c28dd3d8b73c198f95eaf5d93
SHA512 ccf6657ba70c8fbd3f0cb892bcae6e6b14d1089a6e0132c895d2e563c956f3b559a32b7c8bb038bd3a42a3c3aa3390bd31b3ba1845b805e90207549212c7af5e

memory/6036-339-0x0000000073D50000-0x0000000074500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

memory/6036-341-0x0000000007AF0000-0x0000000007B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1840-344-0x0000000073D50000-0x0000000074500000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/1840-346-0x0000000007C40000-0x0000000007C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lj226Mc.exe

MD5 e43ed2f89335b4323450cc5a8b743a12
SHA1 578aa2a3018d58c9162fe9fd4d30e65a352fe58e
SHA256 462b13ad372a6c80aba06a0b94583199ecf97aa2122db642ee581f9ca5b96214
SHA512 70d7c974f40c7b03608697fdfea69d3b5c1187683a78f0659c043264ff2ab2d508d80e76aa0814f5399b80de6ca5fb0a6c9517e67e350bdef70dfd4c2d37002f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lj226Mc.exe

MD5 e43ed2f89335b4323450cc5a8b743a12
SHA1 578aa2a3018d58c9162fe9fd4d30e65a352fe58e
SHA256 462b13ad372a6c80aba06a0b94583199ecf97aa2122db642ee581f9ca5b96214
SHA512 70d7c974f40c7b03608697fdfea69d3b5c1187683a78f0659c043264ff2ab2d508d80e76aa0814f5399b80de6ca5fb0a6c9517e67e350bdef70dfd4c2d37002f

memory/5904-441-0x0000000000FB0000-0x0000000000FEE000-memory.dmp

memory/5756-442-0x00007FFA21D50000-0x00007FFA22811000-memory.dmp

memory/5904-443-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/5904-445-0x0000000007F60000-0x0000000007F70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 60915ec78d50421fbe9d745b9c82c31d
SHA1 b829f028b99aacf788c6e029ae2b34d73937a9ef
SHA256 bc388a7bb9c95a5dd65bdca80abbc5d143904457f2d00ab49ab0d6167e9e04b4
SHA512 7987f881fe720e25aea0a227b8d62ea6f666a01792864ae303d26ecaa66115f994e479907ebefadb28392b194183aad3f8bf47f9d617a672b9a183c1186090b1

memory/6036-476-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/6036-481-0x0000000007AF0000-0x0000000007B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/5756-488-0x00007FFA21D50000-0x00007FFA22811000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5a151442a912ca01f99647909d2b6103
SHA1 8e9d1be4ce40204f5c402ac4399da2206e387123
SHA256 24485ec22a655616775565f0337e96e591fd324a8f02e1c0776eb629571c3a67
SHA512 6a656da9c0a2411ac59d002242f754427148cdff9e86871c741a4272eb93d0dd1b79667ed9ce2735eaadf1787bcb0603c93f2da85557248deee9f70071ec6c49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588fe7.TMP

MD5 dbdae70c45aa0530d5acc3796338812e
SHA1 cd5ce495cf9d16183ecf23f3c60cf9fe1170d0d5
SHA256 3a7e47a0f2686eca9a2c6f98a9e6e08110054d97c197d562e26ed972e873aab3
SHA512 dbc242801b187ca5b72f03274f4ebfda4447b73d42ff179808b3224fef63d346e65a087b0ab08734a93e6bf519f56acf497e3b66349cc3bc035f0ae218eea671

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/5380-507-0x00007FF7F8A00000-0x00007FF7F8A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

memory/1840-519-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/5392-526-0x0000000002710000-0x0000000002719000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/6048-534-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5392-537-0x00000000027E0000-0x00000000028E0000-memory.dmp

memory/2656-540-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/6048-541-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1840-535-0x0000000007C40000-0x0000000007C50000-memory.dmp

memory/2656-533-0x0000000000070000-0x00000000001E4000-memory.dmp

memory/5588-525-0x0000000000780000-0x000000000093D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/5584-552-0x0000000004590000-0x000000000498E000-memory.dmp

memory/5584-573-0x0000000004A90000-0x000000000537B000-memory.dmp

memory/5732-575-0x0000000000800000-0x000000000085A000-memory.dmp

memory/5304-578-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5732-580-0x0000000000400000-0x000000000046A000-memory.dmp

memory/5588-582-0x0000000000780000-0x000000000093D000-memory.dmp

memory/2656-577-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/6012-574-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/5304-561-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/408-584-0x0000000000F90000-0x0000000000FC0000-memory.dmp

memory/2624-589-0x00000000033D0000-0x00000000033E6000-memory.dmp

memory/6012-596-0x00007FFA21FB0000-0x00007FFA22A71000-memory.dmp

memory/6048-592-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5904-585-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/408-600-0x0000000001470000-0x0000000001476000-memory.dmp

memory/5588-601-0x0000000000780000-0x000000000093D000-memory.dmp

memory/5584-604-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 134c90cb016bc970562101c28ba7c7f4
SHA1 89fc9660c1d006fbe37eea3306a0cda0c67b57b8
SHA256 1b391a28afe50c85fde81c3328e3f5f09466a9292928b9d92edb8449b9c7489a
SHA512 204a06fd6bfde6611efdd40418897afa97dac485ae459781cb6ca44a97c9f64e4d2968806ea09a460242237912578bf5c76578c3ee26365679a6344545d056fc

memory/6012-627-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/5904-629-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/5732-630-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/408-631-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/3964-632-0x0000000000640000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4632-651-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4632-652-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4632-654-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5728-656-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5728-658-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5380-661-0x0000000002C60000-0x0000000002DD1000-memory.dmp

memory/5584-662-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5380-665-0x0000000002DE0000-0x0000000002F11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cea9bab767fb5be52ad3b94a6c483526
SHA1 ae007914189bdf5e038ff719ebbeebb3054ce317
SHA256 601f02fe6524bdac475d9fcfbba6c0f054d7c1d79d6a0e01e9863f813a5127c3
SHA512 d58fd2a948e2c7fe6df65362c118b6a8a5a425a00fbf4cb095635b8b4d09cb0ffc09d67fc8b763b2d2bcea39c13cb693805af070dd9156e84d9cebcef8d15330

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2cf369d1262b8ff5af6cc2db3fc37548
SHA1 a8dabb5eb303215aa2a123c630cbc3f87029bc50
SHA256 38cf75b5340245b7e95dcb65af2379e4684f54f41c85e0fdbc852cfe2927bffd
SHA512 0f0af15758e58ad8efd2bc0c329f2c0b8a43f8bd4e70bf5d9cb5a726a6de2d09ad2fc68bb7c53f12c86548b93ca3f88a7ec8ad6f226b0c67e0c6fcec1150add9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 378f3de6f99cc234608f109081a25483
SHA1 4246ec4a39e5b13d9ffad92fa536805d4d25590f
SHA256 48e1693fc7fdbf78ba3c1cbbc83f0e83e72ba2b4eac9e37d8bd914994eaf17dd
SHA512 f8ef0dd12885a83da50bc1d0fac7298959d24c1f51e3907f94e86dac524b356cecc99d360c5928d3199434a10a44b1dc668546bce2dc6a315aa105f1dec08185

memory/5304-734-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5584-767-0x0000000004A90000-0x000000000537B000-memory.dmp

memory/5732-770-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 463903c8a76dafa276d7a2bb84eff999
SHA1 680ac2f4c7bef785896c653ee7baf54475b30f99
SHA256 ec569091fae68aa2fb67c622b6309946aeb0ab0230dc63964704b28964e4da57
SHA512 b1de1e30421f8ebb55311214c88fa98886c17710610d864e9df9dbe84f3e4943258fbe6d1ad11a824d6ee0031d1869710d8a022a82249739150688e55e7b6fba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ec327f574081cb67b0dfbc2110ac5fb1
SHA1 b52abad46543d35a46fc61788c3ba739acb1fc22
SHA256 7e1886dcac7d34eb1bdbea0b943aa9b833635e536f4283f46b127e41aca56417
SHA512 dc9d9324a422e930890c75833f4fe7655b6b5896347e4704751eeacbef2704e83b1a32c68f14afd8859d75594678a6c88ad5959b5e870145bcc6a778c2df7316

memory/3964-793-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0b7d3f8eed6997e4801d7fc699c17965
SHA1 c53de104e36899edc9f42d6e6d52c953e9acb389
SHA256 ca7512b6d1a88359c35ba509bc0ed012c758014b80358fa2275f6655395c3028
SHA512 32e01a695d694a18ad93663e145335057c2c57ae34a42ce475522e4a5efefa7a1fee178bfbda43a7119e3dea3c9d8b7c846a5a6b315e163beaa0f49cdd9ffbe9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4hhfbu2.wbv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5584-848-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5728-886-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5584-890-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5728-926-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5728-1000-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5144-1001-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5144-1007-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5728-1039-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2320-1071-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5728-1102-0x0000000000400000-0x00000000005F1000-memory.dmp