Malware Analysis Report

2025-01-02 09:14

Sample ID 231004-p16hqsdg26
Target 9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814
SHA256 9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814
Tags
amadey dcrat fabookie healer mystic redline smokeloader @ytlogsbot frant backdoor google dropper evasion infostealer persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814

Threat Level: Known bad

The file 9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat fabookie healer mystic redline smokeloader @ytlogsbot frant backdoor google dropper evasion infostealer persistence phishing rat spyware stealer trojan

Amadey

Mystic

RedLine

RedLine payload

DcRat

Fabookie

Detects Healer an antivirus disabler dropper

Detected google phishing page

Healer

Detect Fabookie payload

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Downloads MZ/PE file

Windows security modification

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 12:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 12:48

Reported

2023-10-04 12:51

Platform

win10-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2049.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2049.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2049.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2049.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2049.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2049.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1681.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "399673504" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = a0488896f3f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad274e33c1f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f189294cc1f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1df37c34c1f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0d0c6e32c1f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 29a4d937c1f6d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2049.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2741.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3136 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\1681.exe
PID 3136 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\1681.exe
PID 3136 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\1681.exe
PID 2312 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1681.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe
PID 2312 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1681.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe
PID 2312 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1681.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe
PID 3136 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\1828.exe
PID 3136 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\1828.exe
PID 3136 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\1828.exe
PID 2180 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe
PID 2180 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe
PID 2180 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe
PID 1740 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe
PID 1740 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe
PID 1740 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe
PID 3136 wrote to memory of 3856 N/A N/A C:\Windows\system32\cmd.exe
PID 3136 wrote to memory of 3856 N/A N/A C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe
PID 3464 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe
PID 3464 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe
PID 3252 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe
PID 3252 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe
PID 3252 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 32 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\1828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3136 wrote to memory of 3784 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe
PID 3136 wrote to memory of 3784 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe
PID 3136 wrote to memory of 3784 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe
PID 3136 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\2049.exe
PID 3136 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\2049.exe
PID 3136 wrote to memory of 5024 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 5024 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 5024 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3784 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3784 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3784 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1EA2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe

"C:\Users\Admin\AppData\Local\Temp\9378ecca05a8c4428f27880184bc63e8a8d352ea67a1486b0970a5c066ef5814.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 340

C:\Users\Admin\AppData\Local\Temp\1681.exe

C:\Users\Admin\AppData\Local\Temp\1681.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe

C:\Users\Admin\AppData\Local\Temp\1828.exe

C:\Users\Admin\AppData\Local\Temp\1828.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1990.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 144

C:\Users\Admin\AppData\Local\Temp\1EA2.exe

C:\Users\Admin\AppData\Local\Temp\1EA2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 568

C:\Users\Admin\AppData\Local\Temp\2049.exe

C:\Users\Admin\AppData\Local\Temp\2049.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Users\Admin\AppData\Local\Temp\220F.exe

C:\Users\Admin\AppData\Local\Temp\220F.exe

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\2741.exe

C:\Users\Admin\AppData\Local\Temp\2741.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\2E28.exe

C:\Users\Admin\AppData\Local\Temp\2E28.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\cgitjer

C:\Users\Admin\AppData\Roaming\cgitjer

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 95.214.25.204:80 95.214.25.204 tcp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 204.25.214.95.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 ji.alie3ksgdd.com udp
US 104.21.54.252:80 ji.alie3ksgdd.com tcp
US 8.8.8.8:53 252.54.21.104.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 95.214.27.254:80 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 accounts.google.com udp
DE 157.240.253.35:443 www.facebook.com tcp
DE 157.240.253.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 35.253.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 70.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
US 95.214.27.254:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
NL 88.221.24.27:443 www.bing.com tcp
NL 88.221.24.27:443 www.bing.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 27.24.221.88.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
DE 157.240.253.35:443 www.facebook.com tcp
DE 157.240.253.35:443 www.facebook.com tcp
FI 77.91.124.55:19071 tcp
US 95.214.27.254:80 tcp

Files

memory/4440-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4440-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3136-4-0x0000000000690000-0x00000000006A6000-memory.dmp

memory/4440-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1681.exe

MD5 8052e7100f9547fb8a9769a190d0c59c
SHA1 f3fdcbf9ad71dba866aeb2d14f00a9fd312bc6ec
SHA256 62914a111cba89fe2340d72984b638c6e55374aba16f84c01065ff925f9fc996
SHA512 f04729d113f488f3b90684ce2f21f7cdd397b3c536487c1752cada889a917ea69f86c272bb477f782363bdb84afbe65c088a8f144a65e2d9f6e39b5e65ff1348

C:\Users\Admin\AppData\Local\Temp\1681.exe

MD5 8052e7100f9547fb8a9769a190d0c59c
SHA1 f3fdcbf9ad71dba866aeb2d14f00a9fd312bc6ec
SHA256 62914a111cba89fe2340d72984b638c6e55374aba16f84c01065ff925f9fc996
SHA512 f04729d113f488f3b90684ce2f21f7cdd397b3c536487c1752cada889a917ea69f86c272bb477f782363bdb84afbe65c088a8f144a65e2d9f6e39b5e65ff1348

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe

MD5 9ca4044cc0f8f72a29821e22443051d2
SHA1 1fc94e311299e5981fbcce3ad265aa52ad8ef2d8
SHA256 64ac414434b203c6f1a29d60e69c436914bbb5f0b0bb9ca3e0df57c32153cd30
SHA512 7ceba88c57a1fd574c420b8c63e9109ee64024275480e97f25919e41baff641b7e7d24f71570d40c48768ca47864174ffce9209605d60bc973275dcdad23b773

C:\Users\Admin\AppData\Local\Temp\1828.exe

MD5 221610ece0649f15926ff8c700894a4b
SHA1 f05152abf9de6bb2fe185ff69ff75ec10ea6b411
SHA256 a23409f579deb1d68ab914ea800df4a80cfded68e12c9205b9d6f3234c26b47d
SHA512 8ef9223fef92373b356154495706685310c7ed32347788bf9829cc021e142b291639e505202ef280d559fc0f8e428120e719b879d355c524abb687c16c984e77

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fq4lH5oI.exe

MD5 9ca4044cc0f8f72a29821e22443051d2
SHA1 1fc94e311299e5981fbcce3ad265aa52ad8ef2d8
SHA256 64ac414434b203c6f1a29d60e69c436914bbb5f0b0bb9ca3e0df57c32153cd30
SHA512 7ceba88c57a1fd574c420b8c63e9109ee64024275480e97f25919e41baff641b7e7d24f71570d40c48768ca47864174ffce9209605d60bc973275dcdad23b773

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe

MD5 80b4cd9c7502c8f161167f7ce51b7cfc
SHA1 f708ce2c70b678ddd4e83526b0be8ac2fc876e08
SHA256 40ac2d41fc99b89bf7b72b537bdb7286027469eed91a3a57c7750e32af487543
SHA512 fca77e18774f3a01cd7201efb17d767617c2b6f62d3f6a8dbfb75770e51d88a7cb0bc48c4101229220fb9ea5d93810d7d31bf33c108f838440ebf2085858b2b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ9cO4sI.exe

MD5 80b4cd9c7502c8f161167f7ce51b7cfc
SHA1 f708ce2c70b678ddd4e83526b0be8ac2fc876e08
SHA256 40ac2d41fc99b89bf7b72b537bdb7286027469eed91a3a57c7750e32af487543
SHA512 fca77e18774f3a01cd7201efb17d767617c2b6f62d3f6a8dbfb75770e51d88a7cb0bc48c4101229220fb9ea5d93810d7d31bf33c108f838440ebf2085858b2b0

C:\Users\Admin\AppData\Local\Temp\1828.exe

MD5 221610ece0649f15926ff8c700894a4b
SHA1 f05152abf9de6bb2fe185ff69ff75ec10ea6b411
SHA256 a23409f579deb1d68ab914ea800df4a80cfded68e12c9205b9d6f3234c26b47d
SHA512 8ef9223fef92373b356154495706685310c7ed32347788bf9829cc021e142b291639e505202ef280d559fc0f8e428120e719b879d355c524abb687c16c984e77

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe

MD5 b536efc68641c35bc988c00020a0def8
SHA1 5d76cb9fe50deb94a9df05c8a37dde850a7d0de5
SHA256 a292f9c93c500d973a7b656535eb6cd14c307e6ebfbf6c72c5fdecd2d5aa2c11
SHA512 c5671e5e7f1f8816bcb7a4116ddcf7818f70bacdb8973e2519bc6f9451b697aa37c58787752a0175e031b65e704fdc2acb771fad1f09a163b996c37dc44a2fe6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bT5hH3cg.exe

MD5 b536efc68641c35bc988c00020a0def8
SHA1 5d76cb9fe50deb94a9df05c8a37dde850a7d0de5
SHA256 a292f9c93c500d973a7b656535eb6cd14c307e6ebfbf6c72c5fdecd2d5aa2c11
SHA512 c5671e5e7f1f8816bcb7a4116ddcf7818f70bacdb8973e2519bc6f9451b697aa37c58787752a0175e031b65e704fdc2acb771fad1f09a163b996c37dc44a2fe6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe

MD5 768cb2dbddea01e9bc675361e064ff4e
SHA1 809cfb0eadac44ae7d2a4dda6f81ad0cc3679152
SHA256 1dcc9f26d5a554ccb4ead9a53db587c0fec02dad546c1df1b4f965040f72a1d4
SHA512 72de1235b3b699b0f553c842720df02848076becd289dc5d150e09a1510e6984cf67219c8605a00d6f005907349bacc66243e20271fdd814c1aff1426b76adb9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dj8SY5jr.exe

MD5 768cb2dbddea01e9bc675361e064ff4e
SHA1 809cfb0eadac44ae7d2a4dda6f81ad0cc3679152
SHA256 1dcc9f26d5a554ccb4ead9a53db587c0fec02dad546c1df1b4f965040f72a1d4
SHA512 72de1235b3b699b0f553c842720df02848076becd289dc5d150e09a1510e6984cf67219c8605a00d6f005907349bacc66243e20271fdd814c1aff1426b76adb9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe

MD5 221610ece0649f15926ff8c700894a4b
SHA1 f05152abf9de6bb2fe185ff69ff75ec10ea6b411
SHA256 a23409f579deb1d68ab914ea800df4a80cfded68e12c9205b9d6f3234c26b47d
SHA512 8ef9223fef92373b356154495706685310c7ed32347788bf9829cc021e142b291639e505202ef280d559fc0f8e428120e719b879d355c524abb687c16c984e77

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe

MD5 221610ece0649f15926ff8c700894a4b
SHA1 f05152abf9de6bb2fe185ff69ff75ec10ea6b411
SHA256 a23409f579deb1d68ab914ea800df4a80cfded68e12c9205b9d6f3234c26b47d
SHA512 8ef9223fef92373b356154495706685310c7ed32347788bf9829cc021e142b291639e505202ef280d559fc0f8e428120e719b879d355c524abb687c16c984e77

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VB98fp2.exe

MD5 221610ece0649f15926ff8c700894a4b
SHA1 f05152abf9de6bb2fe185ff69ff75ec10ea6b411
SHA256 a23409f579deb1d68ab914ea800df4a80cfded68e12c9205b9d6f3234c26b47d
SHA512 8ef9223fef92373b356154495706685310c7ed32347788bf9829cc021e142b291639e505202ef280d559fc0f8e428120e719b879d355c524abb687c16c984e77

C:\Users\Admin\AppData\Local\Temp\1990.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/1716-58-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1716-64-0x0000000000400000-0x0000000000428000-memory.dmp

memory/308-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1716-67-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1716-72-0x0000000000400000-0x0000000000428000-memory.dmp

memory/308-70-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1EA2.exe

MD5 6edf31176de58715a4dbd4e11fe058e8
SHA1 57c28d148bbf0b0648dfe079aa4be76ccbb815fc
SHA256 93eeb2782dcd790b3afc9aa46bec85f05a22e904d992d9201a3cc2132a18bcb0
SHA512 50348c85a86fdff6c826c6dbfd5237638190aa3cd690c1708fd1575cf5b452456194b3bee58f845cb075be4fe01b501fb182589845f8dd8c550de005b0f23790

memory/308-65-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1EA2.exe

MD5 6edf31176de58715a4dbd4e11fe058e8
SHA1 57c28d148bbf0b0648dfe079aa4be76ccbb815fc
SHA256 93eeb2782dcd790b3afc9aa46bec85f05a22e904d992d9201a3cc2132a18bcb0
SHA512 50348c85a86fdff6c826c6dbfd5237638190aa3cd690c1708fd1575cf5b452456194b3bee58f845cb075be4fe01b501fb182589845f8dd8c550de005b0f23790

C:\Users\Admin\AppData\Local\Temp\2049.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

C:\Users\Admin\AppData\Local\Temp\2049.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/2772-79-0x0000000000610000-0x000000000061A000-memory.dmp

memory/2772-80-0x00007FF9DA790000-0x00007FF9DB17C000-memory.dmp

memory/308-81-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5112-82-0x000001D9EA020000-0x000001D9EA030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\220F.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\220F.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/4340-96-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/5112-111-0x000001D9EA600000-0x000001D9EA610000-memory.dmp

memory/4340-119-0x0000000071A00000-0x00000000720EE000-memory.dmp

memory/4340-133-0x000000000BF70000-0x000000000C46E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2741.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\2741.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4340-140-0x000000000BB50000-0x000000000BBE2000-memory.dmp

memory/5112-139-0x000001D9EA480000-0x000001D9EA482000-memory.dmp

memory/4340-141-0x000000000BDD0000-0x000000000BDE0000-memory.dmp

memory/4340-142-0x000000000BC00000-0x000000000BC0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4340-150-0x000000000CA80000-0x000000000D086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4340-151-0x000000000C470000-0x000000000C57A000-memory.dmp

memory/4340-152-0x000000000BDB0000-0x000000000BDC2000-memory.dmp

memory/4340-153-0x000000000BE20000-0x000000000BE5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E28.exe

MD5 2cfd2401d76429aa6d05b25472a94fa0
SHA1 b02ea5190b0ae4b7a76b6adefecf382c65e47ee9
SHA256 4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76
SHA512 daef2d971e409091321b3813ed28ce37a72842dcfa9eef32b1141b8de1be1c2c9a2a7f1955b8492b21cab40db9dedee2dacc366bea7c83f24284fa29cabd3aef

memory/3076-157-0x00000000011D0000-0x00000000013CC000-memory.dmp

memory/4340-158-0x000000000BE60000-0x000000000BEAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E28.exe

MD5 2cfd2401d76429aa6d05b25472a94fa0
SHA1 b02ea5190b0ae4b7a76b6adefecf382c65e47ee9
SHA256 4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76
SHA512 daef2d971e409091321b3813ed28ce37a72842dcfa9eef32b1141b8de1be1c2c9a2a7f1955b8492b21cab40db9dedee2dacc366bea7c83f24284fa29cabd3aef

memory/3076-167-0x00000000011D0000-0x00000000013CC000-memory.dmp

memory/2716-168-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3076-175-0x00000000011D0000-0x00000000013CC000-memory.dmp

memory/2716-177-0x0000000071A00000-0x00000000720EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/2716-191-0x000000000BAD0000-0x000000000BAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/3092-192-0x00007FF729A10000-0x00007FF729A7A000-memory.dmp

memory/2772-233-0x00007FF9DA790000-0x00007FF9DB17C000-memory.dmp

memory/1436-241-0x0000014980180000-0x0000014980182000-memory.dmp

memory/1436-243-0x00000149801A0000-0x00000149801A2000-memory.dmp

memory/1436-247-0x00000149801C0000-0x00000149801C2000-memory.dmp

memory/4836-290-0x0000018EA5E80000-0x0000018EA5EA0000-memory.dmp

memory/4340-316-0x0000000071A00000-0x00000000720EE000-memory.dmp

memory/4836-354-0x0000018EA64E0000-0x0000018EA65E0000-memory.dmp

memory/4836-365-0x0000018EA5F00000-0x0000018EA5F20000-memory.dmp

memory/4340-368-0x000000000BDD0000-0x000000000BDE0000-memory.dmp

memory/2772-392-0x00007FF9DA790000-0x00007FF9DB17C000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\CC441YIK.cookie

MD5 886b34dd83cb60fa65102bf36faa2c07
SHA1 f4a6ef4225bfab2e6365691f6e7323512eb5d76d
SHA256 c12387188cf934c2b8cb3e974ed72bec0d88c7ce6b054c377507376a1cc31b2f
SHA512 1544e07733e467d126ba7c51494843a91ab2f5a1c082e01463f0f0ec1155457ef63a9428fd17eae2f532f70b44873d814e1ca17cd566b1574480854df654aa81

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 f55be45293c626c75f6f9e3a64a75a8c
SHA1 7fcd93b0663578e4b3c12fb7c260a4b511e8fd91
SHA256 ad529cb315ce13925a1c72b1b7127084241ff77027e6548a4d9704dd8eb42223
SHA512 62e05a2068c740ece93b3c35ca740cbd6943d321b3c54837b8a7bfd1327125f4992ccf7bb0f8438b8fa20c33471967fd761d0bc9a98d9bffc93f670e25f4be58

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 30ab18c0db04095dab914f0f3c3deff1
SHA1 30970a9fb1a467bf9c4454dafd0e5689f0889018
SHA256 e1f0fde1b2d3ddd2b7a269a988dab0a0c6321538ee6fe6db32c2cb3583794b5b
SHA512 5c1e8205c258cb43d5628d893945ccc7a185236138a2567a29bb7f679d1f9733c56232cf0cf6f185c7843c26a4ca85d434ef25f61b890dd607a50ee0f6149458

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 8a6b3d2bb029e2275b2bfe1deec40e1b
SHA1 1c3a56007961cb295da2c5d7f66a0d45fe9c9c3a
SHA256 c7de5d3b8ede19d3f1906497bcfd3bab801eb1d45a438ce0635b073ed156bf94
SHA512 378cc05a7b1333e2db66b95d5479cc53d4f4aae71a85a876674881811db8a5f80811eb0eca88949e0be5e057700fb930103087e4289ad1e08c943b9e92f62e96

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ec6be4e97fbe48ba4ea89c726bdf2649
SHA1 5cbb9c3104f9012815b6c7da4235505497bf4580
SHA256 a3be63916da7cd70489c658cef32e13ac857ca72887a43cc9e4304593e8db94e
SHA512 0284a2bd80ba10e78fb0dd79e058db4af8b322e50b9f88c4af9d9dfffcb503b286d192b4bfb5ecb065d5d95773ad6fae0180126270b68b2cc3db6df041f4f147

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3886b6b02abfacf0cb25d688869d1f5
SHA1 a29047d9a5b0ffdc186dad55bb0009c926463a24
SHA256 d2723a232bee7fca47784d458db6749c82dcf0e0ef5cc1399756d17848fdb39c
SHA512 599b3b9af9ab6eb81069e067ce21a0536b8292969c4d900844108e6ec1d3929b12752c82837fd90503c11aaa1a1b6c6c7b0e257436b5fb3fba27d66eb6946a07

memory/3092-434-0x0000000003530000-0x00000000036A1000-memory.dmp

memory/3092-443-0x00000000036B0000-0x00000000037E1000-memory.dmp

memory/4836-500-0x0000018EA5C00000-0x0000018EA5C02000-memory.dmp

memory/4836-512-0x0000018EA5C70000-0x0000018EA5C72000-memory.dmp

memory/4836-516-0x0000018EA5C90000-0x0000018EA5C92000-memory.dmp

memory/4836-524-0x0000018EA5CA0000-0x0000018EA5CA2000-memory.dmp

memory/5112-534-0x000001D9F0ED0000-0x000001D9F0ED1000-memory.dmp

memory/5112-533-0x000001D9F0EC0000-0x000001D9F0EC1000-memory.dmp

memory/4836-546-0x0000018EA5CB0000-0x0000018EA5CB2000-memory.dmp

memory/2716-550-0x000000000C5A0000-0x000000000C606000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\108LG1E4\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

memory/2716-595-0x0000000071A00000-0x00000000720EE000-memory.dmp

memory/2716-596-0x000000000BAD0000-0x000000000BAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\74K054K3.cookie

MD5 f6b62f5e16bc5603a30f894f7b5c903f
SHA1 e73b574a1e5d70cec0e4b24243cf170f8119d8a7
SHA256 7c0948cc522bed4f45293e71cf9b7bc94c1550b207af73662a19185a21f29aa9
SHA512 92a0383df57fbd1971f688dc84db9bef983c23c65788d031d699ca465f5899f403e1e1b56d601d5a49996cd8aee3134e3c768d26d4760841e81b7917418d223a

memory/2716-877-0x000000000D600000-0x000000000D7C2000-memory.dmp

memory/2716-878-0x000000000DD00000-0x000000000E22C000-memory.dmp

memory/3092-891-0x00000000036B0000-0x00000000037E1000-memory.dmp

memory/2716-1007-0x000000000DC70000-0x000000000DCC0000-memory.dmp

memory/2716-1018-0x0000000071A00000-0x00000000720EE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCCD8EAG\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Roaming\cgitjer

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Roaming\cgitjer

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XHJB9618\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee