Malware Analysis Report

2025-01-02 09:14

Sample ID 231004-h4qhcshh5t
Target 26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641
SHA256 26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641
Tags
amadey dcrat fabookie healer mystic redline smokeloader @ytlogsbot frant backdoor google dropper evasion infostealer persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641

Threat Level: Known bad

The file 26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat fabookie healer mystic redline smokeloader @ytlogsbot frant backdoor google dropper evasion infostealer persistence phishing rat spyware stealer trojan

Amadey

SmokeLoader

Detected google phishing page

Mystic

Healer

DcRat

Detect Fabookie payload

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Fabookie

Downloads MZ/PE file

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Windows security modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 07:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 07:17

Reported

2023-10-04 07:20

Platform

win10-20230915-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\415D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\415D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\415D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\415D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\415D.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\415D.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2B60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = eb4779f192f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "403168868" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1fd363f192f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6ca5380c93f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\415D.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 596 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 596 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 596 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 596 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 596 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 596 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3244 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B60.exe
PID 3244 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B60.exe
PID 3244 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B60.exe
PID 4616 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2B60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe
PID 4616 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2B60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe
PID 4616 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2B60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe
PID 2156 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe
PID 2156 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe
PID 2156 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe
PID 4600 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe
PID 4600 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe
PID 4600 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe
PID 3644 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe
PID 3644 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe
PID 3644 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe
PID 4464 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe
PID 4464 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe
PID 4464 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3244 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe
PID 3244 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe
PID 3244 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe
PID 3244 wrote to memory of 4820 N/A N/A C:\Windows\system32\cmd.exe
PID 3244 wrote to memory of 4820 N/A N/A C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2528 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\32D4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3244 wrote to memory of 1692 N/A N/A C:\Windows\System32\Conhost.exe
PID 3244 wrote to memory of 1692 N/A N/A C:\Windows\System32\Conhost.exe
PID 3244 wrote to memory of 1692 N/A N/A C:\Windows\System32\Conhost.exe
PID 3244 wrote to memory of 4648 N/A N/A C:\Users\Admin\AppData\Local\Temp\415D.exe
PID 3244 wrote to memory of 4648 N/A N/A C:\Users\Admin\AppData\Local\Temp\415D.exe
PID 3244 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\Temp\43EF.exe
PID 3244 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\Temp\43EF.exe
PID 3244 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\Temp\43EF.exe
PID 1692 wrote to memory of 4900 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 4900 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 4900 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 4900 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe

"C:\Users\Admin\AppData\Local\Temp\26a3239551f746464e3137d6431a54630a11b76a8add1fd65769de268f150641.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 144

C:\Users\Admin\AppData\Local\Temp\2B60.exe

C:\Users\Admin\AppData\Local\Temp\2B60.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\32D4.exe

C:\Users\Admin\AppData\Local\Temp\32D4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 572

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3507.bat" "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\4082.exe

C:\Users\Admin\AppData\Local\Temp\4082.exe

C:\Users\Admin\AppData\Local\Temp\415D.exe

C:\Users\Admin\AppData\Local\Temp\415D.exe

C:\Users\Admin\AppData\Local\Temp\43EF.exe

C:\Users\Admin\AppData\Local\Temp\43EF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4C8B.exe

C:\Users\Admin\AppData\Local\Temp\4C8B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\5660.exe

C:\Users\Admin\AppData\Local\Temp\5660.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\iuiesdg

C:\Users\Admin\AppData\Roaming\iuiesdg

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 95.214.25.204:80 95.214.25.204 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 204.25.214.95.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 ji.alie3ksgdd.com udp
US 172.67.143.192:80 ji.alie3ksgdd.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 192.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 95.214.27.254:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
US 95.214.27.254:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 88.221.24.83:443 www.bing.com tcp
NL 88.221.24.83:443 www.bing.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 83.24.221.88.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 95.214.27.254:80 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.55:19071 tcp
US 95.214.27.254:80 tcp

Files

memory/5064-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5064-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3244-4-0x0000000001480000-0x0000000001496000-memory.dmp

memory/5064-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B60.exe

MD5 aab63c233da2acf54393ba50f92bf7f5
SHA1 8b94aaa8002c4ab6665d86dd079783bcc15a78ee
SHA256 37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f
SHA512 a5eb6da1d6e8d2463c1ff70c0b7cfe4df4566cf910fae6ab018db1f2f0b724278e01a89a029c2ff00eab1f5abd4f99c215cca54c96e48a59aed4e0a1bb31e58c

C:\Users\Admin\AppData\Local\Temp\2B60.exe

MD5 aab63c233da2acf54393ba50f92bf7f5
SHA1 8b94aaa8002c4ab6665d86dd079783bcc15a78ee
SHA256 37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f
SHA512 a5eb6da1d6e8d2463c1ff70c0b7cfe4df4566cf910fae6ab018db1f2f0b724278e01a89a029c2ff00eab1f5abd4f99c215cca54c96e48a59aed4e0a1bb31e58c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe

MD5 42a40d9b6e4708172d21bfcb1f11aee5
SHA1 0885c2b369306a64136fc909c798e6de1d1b61c3
SHA256 1311ce2db8587ef2efbd04586c99f25ee93d5ee626ba0db83bd8df3427a5276f
SHA512 07ce22273df5404c4bd29fc021ebaba3527a781552df58879bbc15a0e5fe9755d548363653eadd8f192c1fdad65c31e3608d928761ead62b68f101e6780ec740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fk7Pk7PQ.exe

MD5 42a40d9b6e4708172d21bfcb1f11aee5
SHA1 0885c2b369306a64136fc909c798e6de1d1b61c3
SHA256 1311ce2db8587ef2efbd04586c99f25ee93d5ee626ba0db83bd8df3427a5276f
SHA512 07ce22273df5404c4bd29fc021ebaba3527a781552df58879bbc15a0e5fe9755d548363653eadd8f192c1fdad65c31e3608d928761ead62b68f101e6780ec740

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe

MD5 a874747f9d7b6d0941fd26338f19d53c
SHA1 e62ebd34052c0058436e12860157a1e88602936a
SHA256 2c09d33ba0a8e269ff090ef9be52ab5c089d9462b46e00bff99bc55aa206a0f5
SHA512 29b9cb48a2c236d60ff6562d7ab665e6204c33bde68dea1fcdce47b48dd1c9451b92c080c20b70785b33adf6841944f5ff9db51a31a09a165c9ed901f5a16292

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft5lV6qZ.exe

MD5 a874747f9d7b6d0941fd26338f19d53c
SHA1 e62ebd34052c0058436e12860157a1e88602936a
SHA256 2c09d33ba0a8e269ff090ef9be52ab5c089d9462b46e00bff99bc55aa206a0f5
SHA512 29b9cb48a2c236d60ff6562d7ab665e6204c33bde68dea1fcdce47b48dd1c9451b92c080c20b70785b33adf6841944f5ff9db51a31a09a165c9ed901f5a16292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe

MD5 6dcc042f08cd61559b1352c278b5570d
SHA1 9d2628609668b36028e9c596dc632c2c1a41b578
SHA256 519490e5502bd6658f4cec2c5d18e890500b26edc6ea7c265c709a85d0188582
SHA512 59fdae6219dd204fec2b86a08ba80b5c91509da755fd058e88d53cc921402ba78dd45a0799133e71f5063f363a5741e118084e13eb14cc361f703497a31ca07d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oK4Qc9bi.exe

MD5 6dcc042f08cd61559b1352c278b5570d
SHA1 9d2628609668b36028e9c596dc632c2c1a41b578
SHA256 519490e5502bd6658f4cec2c5d18e890500b26edc6ea7c265c709a85d0188582
SHA512 59fdae6219dd204fec2b86a08ba80b5c91509da755fd058e88d53cc921402ba78dd45a0799133e71f5063f363a5741e118084e13eb14cc361f703497a31ca07d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe

MD5 18b1a5f1db4590cfc6bee22c44ca057c
SHA1 dec704c9b36762c5ce4a26d990ffff0ff1285d11
SHA256 7d53c3206384265ba7553d588562d7c4a88d0e7ff44fb1baee70a18c98bbede6
SHA512 4d9f642d2a19635a3c563a58807e9e40682a85e3ceb96ba943f18ca012b7abed390e5a48ae013347e443bff071a66fcddf8ce1b586d0cedacb6d30bc0064537e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bg9VR0Pa.exe

MD5 18b1a5f1db4590cfc6bee22c44ca057c
SHA1 dec704c9b36762c5ce4a26d990ffff0ff1285d11
SHA256 7d53c3206384265ba7553d588562d7c4a88d0e7ff44fb1baee70a18c98bbede6
SHA512 4d9f642d2a19635a3c563a58807e9e40682a85e3ceb96ba943f18ca012b7abed390e5a48ae013347e443bff071a66fcddf8ce1b586d0cedacb6d30bc0064537e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe

MD5 e3516609fbf6972217835e9ed61c20fd
SHA1 3f8d9ca9331754a7c8b4e1dde48339994a8dea32
SHA256 68b6a5126661d13b56a808d195850112b421f67457025d5ab0a186dc43cc41d5
SHA512 5edcbe8eca6764a52aa627b241e1f086c6a6ab8938d3ce27095ff3664904f1a08dd008bf0e2fd45afb8e5c61bd4035fb691ccdadd5537c8c3871a6d645829bd6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ds67zT4.exe

MD5 e3516609fbf6972217835e9ed61c20fd
SHA1 3f8d9ca9331754a7c8b4e1dde48339994a8dea32
SHA256 68b6a5126661d13b56a808d195850112b421f67457025d5ab0a186dc43cc41d5
SHA512 5edcbe8eca6764a52aa627b241e1f086c6a6ab8938d3ce27095ff3664904f1a08dd008bf0e2fd45afb8e5c61bd4035fb691ccdadd5537c8c3871a6d645829bd6

memory/660-51-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32D4.exe

MD5 e3516609fbf6972217835e9ed61c20fd
SHA1 3f8d9ca9331754a7c8b4e1dde48339994a8dea32
SHA256 68b6a5126661d13b56a808d195850112b421f67457025d5ab0a186dc43cc41d5
SHA512 5edcbe8eca6764a52aa627b241e1f086c6a6ab8938d3ce27095ff3664904f1a08dd008bf0e2fd45afb8e5c61bd4035fb691ccdadd5537c8c3871a6d645829bd6

C:\Users\Admin\AppData\Local\Temp\32D4.exe

MD5 e3516609fbf6972217835e9ed61c20fd
SHA1 3f8d9ca9331754a7c8b4e1dde48339994a8dea32
SHA256 68b6a5126661d13b56a808d195850112b421f67457025d5ab0a186dc43cc41d5
SHA512 5edcbe8eca6764a52aa627b241e1f086c6a6ab8938d3ce27095ff3664904f1a08dd008bf0e2fd45afb8e5c61bd4035fb691ccdadd5537c8c3871a6d645829bd6

memory/660-56-0x0000000000400000-0x0000000000428000-memory.dmp

memory/660-57-0x0000000000400000-0x0000000000428000-memory.dmp

memory/660-59-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32D4.exe

MD5 e3516609fbf6972217835e9ed61c20fd
SHA1 3f8d9ca9331754a7c8b4e1dde48339994a8dea32
SHA256 68b6a5126661d13b56a808d195850112b421f67457025d5ab0a186dc43cc41d5
SHA512 5edcbe8eca6764a52aa627b241e1f086c6a6ab8938d3ce27095ff3664904f1a08dd008bf0e2fd45afb8e5c61bd4035fb691ccdadd5537c8c3871a6d645829bd6

C:\Users\Admin\AppData\Local\Temp\3507.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/3636-68-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3636-69-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3636-70-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1776-71-0x000002093F700000-0x000002093F710000-memory.dmp

memory/3636-74-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1776-88-0x000002093FB30000-0x000002093FB40000-memory.dmp

memory/1776-107-0x0000020940120000-0x0000020940122000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 fd1c5a76963f6a4e5abf07dbdfaab0f9
SHA1 b7ab303d09211e7ecf1442137e35d896a74f4d1a
SHA256 703eb40512774eabdfeb769f4f64d1c8dedf8e07d415fc50c3bb32cde0878aeb
SHA512 8f9a28f4eec60bc927917869ef7b693e90df7539a6c4f7350a556e0bc2e1cbc7317941e39cf4cf1ba9473fd61fe298a84dc5026193450589b0863f3f39bc4907

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Temp\4082.exe

MD5 9b8ffec146aca378c4710e79fd55fd82
SHA1 aa16736a5473b950e5c4316a0703b14922f20581
SHA256 7fd176719696ee2e7c9a90894575149aa9771928dec688508c798699fccf9413
SHA512 24a05eab91a35cbda860f36a8422329ad828b3317818b179217b244392d80b56c4b83e90784f3354b1c70ff00f0b4443016bae300379f246f011609c79c95392

C:\Users\Admin\AppData\Local\Temp\4082.exe

MD5 9b8ffec146aca378c4710e79fd55fd82
SHA1 aa16736a5473b950e5c4316a0703b14922f20581
SHA256 7fd176719696ee2e7c9a90894575149aa9771928dec688508c798699fccf9413
SHA512 24a05eab91a35cbda860f36a8422329ad828b3317818b179217b244392d80b56c4b83e90784f3354b1c70ff00f0b4443016bae300379f246f011609c79c95392

C:\Users\Admin\AppData\Local\Temp\415D.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/4648-151-0x0000000000260000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\415D.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/4648-155-0x00007FF9BD620000-0x00007FF9BE00C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\43EF.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\43EF.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/4900-210-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4932-216-0x000002F999AD0000-0x000002F999AF0000-memory.dmp

memory/4900-240-0x0000000071E30000-0x000000007251E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/4900-256-0x000000000C060000-0x000000000C55E000-memory.dmp

memory/4900-272-0x000000000BC40000-0x000000000BCD2000-memory.dmp

memory/4932-279-0x000002F99A1E0000-0x000002F99A2E0000-memory.dmp

memory/4932-285-0x000002F9991F0000-0x000002F999210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C8B.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

memory/4900-293-0x000000000BD90000-0x000000000BDA0000-memory.dmp

memory/4900-297-0x000000000BCF0000-0x000000000BCFA000-memory.dmp

memory/976-296-0x0000000001290000-0x000000000144D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C8B.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

memory/4900-367-0x000000000CB70000-0x000000000D176000-memory.dmp

memory/4900-375-0x000000000C560000-0x000000000C66A000-memory.dmp

memory/4900-380-0x000000000BEA0000-0x000000000BEB2000-memory.dmp

memory/4932-383-0x000002F999940000-0x000002F999942000-memory.dmp

memory/4900-387-0x000000000BF10000-0x000000000BF4E000-memory.dmp

memory/4932-391-0x000002F999B20000-0x000002F999B22000-memory.dmp

memory/4900-390-0x000000000BF50000-0x000000000BF9B000-memory.dmp

memory/5424-397-0x0000000000400000-0x0000000000430000-memory.dmp

memory/976-396-0x0000000001290000-0x000000000144D000-memory.dmp

memory/4932-405-0x000002F99A2E0000-0x000002F99A2E2000-memory.dmp

memory/4932-415-0x000002F99A2F0000-0x000002F99A2F2000-memory.dmp

memory/976-418-0x0000000001290000-0x000000000144D000-memory.dmp

memory/4932-426-0x000002F99A6F0000-0x000002F99A6F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5660.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/5424-428-0x0000000000A90000-0x0000000000A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5660.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4932-435-0x000002F99BAE0000-0x000002F99BAE2000-memory.dmp

memory/5424-424-0x0000000071E30000-0x000000007251E000-memory.dmp

memory/4932-438-0x000002F99BAF0000-0x000002F99BAF2000-memory.dmp

memory/5424-439-0x0000000008C30000-0x0000000008C40000-memory.dmp

memory/1776-447-0x0000020946190000-0x0000020946191000-memory.dmp

memory/1776-445-0x0000020946180000-0x0000020946181000-memory.dmp

memory/4932-443-0x000002F99BB00000-0x000002F99BB02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\IFZCX6J4\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4648-524-0x00007FF9BD620000-0x00007FF9BE00C000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\74K7OVBI.cookie

MD5 5cd98f4297d496c5fad95a0bae298f46
SHA1 d0df4430968256176f04ff7ab1bf3095ed11bd55
SHA256 2baa8e77c6d327edb8ab6098c92aedaae97f66bbe50dedb9d09243187d687e0a
SHA512 f882c53aceeda15b24e9d5441fa4406d1b90847ce7d9c21f683f5d146d099b29de4c1d443b47c33e47e351b38c9ee9d5ffef531b937191bb5e802076172edc04

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 f55be45293c626c75f6f9e3a64a75a8c
SHA1 7fcd93b0663578e4b3c12fb7c260a4b511e8fd91
SHA256 ad529cb315ce13925a1c72b1b7127084241ff77027e6548a4d9704dd8eb42223
SHA512 62e05a2068c740ece93b3c35ca740cbd6943d321b3c54837b8a7bfd1327125f4992ccf7bb0f8438b8fa20c33471967fd761d0bc9a98d9bffc93f670e25f4be58

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 ad9e9b2df5166fb9757a1378cffa1a03
SHA1 1317def7e3efb6e82267e0a72a3d1a764aad47e0
SHA256 b6ed7c7be3151a2244f42288ea07b4432a89e86c38db09cb758cc95ee1461d3a
SHA512 43e9576821b1d36344800ce7c1c772651fd1bf2ac30316212d3a213b801f201dc282ea2135f69e94cc85f2d7b2d8a77b2849a85784f696781e93ac25da6b2fc8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 09282b0765285878a7cb77734e09ac95
SHA1 6316e8c5e4b1bf3d2f9b036a9f635ffde12133b1
SHA256 55f932eb3dba564f0345a80af0a61866330e822c71b10c6af9a1b3a5d1a34cd8
SHA512 b41b3a2bf760d5c5e0ddf11dc25614f8e4010778549a92506ea3715890c93313ee6663c6a44fbde20c81fb88e4aafc58e2bc28900c0eebd707caa598d23f29b8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f61d6de8fad3bb007dd9d31cdbee8ee3
SHA1 390cd42718129d0e4da692565ef71eb2292ea05d
SHA256 6ce1191f61c2346e325ea095bf8579ad8fddb447da50cebd2f1c8538e2e1a8c9
SHA512 b3bab1a9dc1f26a5a9f884d5cc2a1eb8b691e4c2aa35068e6ff44b12371e1a86c0f444339b8b1ba62dbdc4029c3f6d51c122ea08a9cf803403fea2f7ab24da4b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 50f60f01721dc642a9d4eb4d3f595548
SHA1 c557f659a5c463afda81dd9a30c8f233d53ebebe
SHA256 e69936d34aae532de57d015a9e2d66473786ea3ebfd6c18c20c90def3d564ddb
SHA512 61892ab826582ed4bf8e74bdcb08129b9756911e818a9b34a843c7df37d9346d4ea416ace8f5176e5232ff016e16dab1a31b27e4abe11790df4f5417921cdc6b

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/5524-553-0x00007FF7D45F0000-0x00007FF7D465A000-memory.dmp

memory/4900-575-0x0000000071E30000-0x000000007251E000-memory.dmp

memory/4648-580-0x00007FF9BD620000-0x00007FF9BE00C000-memory.dmp

memory/4900-581-0x000000000BD90000-0x000000000BDA0000-memory.dmp

memory/5424-582-0x0000000008FE0000-0x0000000009056000-memory.dmp

memory/5424-585-0x0000000009060000-0x00000000090C6000-memory.dmp

memory/5424-669-0x0000000071E30000-0x000000007251E000-memory.dmp

memory/5524-671-0x0000000003620000-0x0000000003791000-memory.dmp

memory/5524-673-0x00000000037A0000-0x00000000038D1000-memory.dmp

memory/5424-674-0x0000000008C30000-0x0000000008C40000-memory.dmp

memory/5424-862-0x000000000A1A0000-0x000000000A1F0000-memory.dmp

memory/5424-871-0x000000000AA40000-0x000000000AC02000-memory.dmp

memory/5424-872-0x000000000B5F0000-0x000000000BB1C000-memory.dmp

memory/5524-879-0x00000000037A0000-0x00000000038D1000-memory.dmp

memory/5424-992-0x0000000071E30000-0x000000007251E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MAL5FGVU\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\CI93G8YT\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Roaming\iuiesdg

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Roaming\iuiesdg

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4