Malware Analysis Report

2025-01-02 08:53

Sample ID 231005-fffxxagg3x
Target 961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3
SHA256 961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3
Tags
amadey dcrat healer redline smokeloader @ytlogsbot backdoor google dropper evasion infostealer persistence phishing rat spyware trojan fabookie mystic frant stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3

Threat Level: Known bad

The file 961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline smokeloader @ytlogsbot backdoor google dropper evasion infostealer persistence phishing rat spyware trojan fabookie mystic frant stealer

Amadey

Modifies Windows Defender Real-time Protection settings

Detect Fabookie payload

Detect Mystic stealer payload

Fabookie

Mystic

RedLine payload

Healer

SmokeLoader

Detected google phishing page

Detects Healer an antivirus disabler dropper

RedLine

DcRat

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 04:48

Reported

2023-10-05 04:53

Platform

win7-20230831-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD52.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B2C1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B66B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BA23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cediatc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B2C1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B66B.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9CFB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000c02447405d7e65c1b5c5538eb239fabc8be0e503d6b346d167ce5fca225d9395000000000e8000000002000020000000de7b068a9acf7f7c59146036a570bd35fad10db1819819b813bfeedba3b0f52e2000000038d684eb496b68d97c5a274c290b8c0e209c0173fcb4a38f7161094ac2872d1e40000000dacbfc55bcccb1f1d5bc4de8142e32faba642c6aaa0a138799dd3044fb25efcc61f59bd452acdfd2b4733b4aa882024fef633645ac95b47582066055c306208a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402643223" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f0000000002000000000010660000000100002000000040d16cf4f503902cef81875b6e514f33f280c8f71a3e753c78ee30ef6c152f32000000000e8000000002000020000000aa444b9d2bb5b9304107f060b8af2cf060af1831f37a7ccd56b9b12ed7f90a869000000090383890beba5bd5b97493cdc23d87bbab07d9c37eb8388ed9e2e258fd6d963aeef2a8bee6cb9d0c61f1c58999c516605bbdd0b6205b0928842f77ecb31099758322ca9ef809c1a49dafc92f2eadc21f5e10ee376f4518e47fbafdd2dd0480344809d669837c455b9e8cfdca11340dc9eb9f541e9b90bc6a950c4e5433e3b9a0824b18776661bfcb18acfabf34a7fa9940000000ffaa1c3c5dd4096ca703bb668136bdb23e56407f359559f509a43d3485dbb874f9edbf4c341285f8ec1bccd24eb7e09078cc54171ff03d96e709bf2fffeada02 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b0ce5f47f7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{876AF9E1-633A-11EE-9922-7AA063A69366} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87E1FEA1-633A-11EE-9922-7AA063A69366} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B06F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B66B.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3012 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\SysWOW64\WerFault.exe
PID 3012 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\SysWOW64\WerFault.exe
PID 3012 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\SysWOW64\WerFault.exe
PID 3012 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\SysWOW64\WerFault.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 1232 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 2336 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9CFB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 1232 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe
PID 1232 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe
PID 1232 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe
PID 1232 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\A16E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 2668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe

"C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 136

C:\Users\Admin\AppData\Local\Temp\9CFB.exe

C:\Users\Admin\AppData\Local\Temp\9CFB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

C:\Users\Admin\AppData\Local\Temp\A16E.exe

C:\Users\Admin\AppData\Local\Temp\A16E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\A4C9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\AD52.exe

C:\Users\Admin\AppData\Local\Temp\AD52.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 132

C:\Users\Admin\AppData\Local\Temp\B06F.exe

C:\Users\Admin\AppData\Local\Temp\B06F.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\B2C1.exe

C:\Users\Admin\AppData\Local\Temp\B2C1.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:340993 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\B66B.exe

C:\Users\Admin\AppData\Local\Temp\B66B.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\BA23.exe

C:\Users\Admin\AppData\Local\Temp\BA23.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\taskeng.exe

taskeng.exe {452CDAB6-C829-45FF-B5A8-7A6A92D3CB61} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Roaming\cediatc

C:\Users\Admin\AppData\Roaming\cediatc

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 95.214.25.204:80 95.214.25.204 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
MD 176.123.4.46:33783 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp

Files

memory/2112-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2112-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2112-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2112-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2112-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2112-8-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1232-7-0x0000000002B40000-0x0000000002B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CFB.exe

MD5 311b8e9d4a3084f26e1035ead880ba69
SHA1 7e198a922c3b0bbd72e898724c9b142c722b3e8c
SHA256 5fb3469b518dc772d6c9528f4bbb94224819e54bd0b7933ec37529169f716f82
SHA512 6a4d2955caad3f809f3e926c89497afd26f178280b42e25be857512554fb69c6d13c9719b7e517a4cc1ad4a7c418ffe989e2a67debeb34d7d4b72bff1ad8c224

C:\Users\Admin\AppData\Local\Temp\9CFB.exe

MD5 311b8e9d4a3084f26e1035ead880ba69
SHA1 7e198a922c3b0bbd72e898724c9b142c722b3e8c
SHA256 5fb3469b518dc772d6c9528f4bbb94224819e54bd0b7933ec37529169f716f82
SHA512 6a4d2955caad3f809f3e926c89497afd26f178280b42e25be857512554fb69c6d13c9719b7e517a4cc1ad4a7c418ffe989e2a67debeb34d7d4b72bff1ad8c224

\Users\Admin\AppData\Local\Temp\9CFB.exe

MD5 311b8e9d4a3084f26e1035ead880ba69
SHA1 7e198a922c3b0bbd72e898724c9b142c722b3e8c
SHA256 5fb3469b518dc772d6c9528f4bbb94224819e54bd0b7933ec37529169f716f82
SHA512 6a4d2955caad3f809f3e926c89497afd26f178280b42e25be857512554fb69c6d13c9719b7e517a4cc1ad4a7c418ffe989e2a67debeb34d7d4b72bff1ad8c224

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

MD5 c01c845d6a76fcd2acbebe2ecaadd33c
SHA1 b11171fbdb7e27f72d20d2386e89a5f6cd4a2277
SHA256 a8735e8205d9fb0270e671c8298d3464bf03b3da5d715cbc30c5d6a947e3cc6d
SHA512 616e08bdd9ddaf715b0a6e045c74987be1ce5295f6dc8664483a83bba4b0f1e58eda893b4e6535a4abd7828849b67ee6f5ae90d771ea6767aa0eb5d7059b3957

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

MD5 c01c845d6a76fcd2acbebe2ecaadd33c
SHA1 b11171fbdb7e27f72d20d2386e89a5f6cd4a2277
SHA256 a8735e8205d9fb0270e671c8298d3464bf03b3da5d715cbc30c5d6a947e3cc6d
SHA512 616e08bdd9ddaf715b0a6e045c74987be1ce5295f6dc8664483a83bba4b0f1e58eda893b4e6535a4abd7828849b67ee6f5ae90d771ea6767aa0eb5d7059b3957

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

MD5 c01c845d6a76fcd2acbebe2ecaadd33c
SHA1 b11171fbdb7e27f72d20d2386e89a5f6cd4a2277
SHA256 a8735e8205d9fb0270e671c8298d3464bf03b3da5d715cbc30c5d6a947e3cc6d
SHA512 616e08bdd9ddaf715b0a6e045c74987be1ce5295f6dc8664483a83bba4b0f1e58eda893b4e6535a4abd7828849b67ee6f5ae90d771ea6767aa0eb5d7059b3957

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

MD5 c01c845d6a76fcd2acbebe2ecaadd33c
SHA1 b11171fbdb7e27f72d20d2386e89a5f6cd4a2277
SHA256 a8735e8205d9fb0270e671c8298d3464bf03b3da5d715cbc30c5d6a947e3cc6d
SHA512 616e08bdd9ddaf715b0a6e045c74987be1ce5295f6dc8664483a83bba4b0f1e58eda893b4e6535a4abd7828849b67ee6f5ae90d771ea6767aa0eb5d7059b3957

\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

MD5 9ff796abf160a90606ebd4ee3eca37b4
SHA1 9212ca488c3f1a9bf006317172de28b4623eeaa4
SHA256 ee060bdfb14633f615d034eb3c862e10dc3fecaf292c1e1e52e25182fd2ed98b
SHA512 92e55c7e1d71754772698d05069ce8f77eecb0bbc1d42927482283b555d27957d1ccb829f2699553bd5ddc4e494d072bfe9ab4bc396bc478b8cf930824d31f23

C:\Users\Admin\AppData\Local\Temp\A16E.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\A16E.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

MD5 9ff796abf160a90606ebd4ee3eca37b4
SHA1 9212ca488c3f1a9bf006317172de28b4623eeaa4
SHA256 ee060bdfb14633f615d034eb3c862e10dc3fecaf292c1e1e52e25182fd2ed98b
SHA512 92e55c7e1d71754772698d05069ce8f77eecb0bbc1d42927482283b555d27957d1ccb829f2699553bd5ddc4e494d072bfe9ab4bc396bc478b8cf930824d31f23

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

MD5 b2370a4d608610c0b4eac8d25f63e804
SHA1 5026177202cc34487f1be1ae2bb87a25c2b4e1a0
SHA256 df5991e15c4a3b94ff93017d775629c86b2afd1a13c852dcb78b53ccf0fb9742
SHA512 2d9b2ebfeeef0fd8c5100fd2f07cece5d5dae21f59ab5b477164f94fd0b66c7b495baecfdbc5d2038a470481f6fc30f76b2e297648cda19979ddcc492a79bd69

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

MD5 b2370a4d608610c0b4eac8d25f63e804
SHA1 5026177202cc34487f1be1ae2bb87a25c2b4e1a0
SHA256 df5991e15c4a3b94ff93017d775629c86b2afd1a13c852dcb78b53ccf0fb9742
SHA512 2d9b2ebfeeef0fd8c5100fd2f07cece5d5dae21f59ab5b477164f94fd0b66c7b495baecfdbc5d2038a470481f6fc30f76b2e297648cda19979ddcc492a79bd69

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

MD5 b2370a4d608610c0b4eac8d25f63e804
SHA1 5026177202cc34487f1be1ae2bb87a25c2b4e1a0
SHA256 df5991e15c4a3b94ff93017d775629c86b2afd1a13c852dcb78b53ccf0fb9742
SHA512 2d9b2ebfeeef0fd8c5100fd2f07cece5d5dae21f59ab5b477164f94fd0b66c7b495baecfdbc5d2038a470481f6fc30f76b2e297648cda19979ddcc492a79bd69

\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

MD5 9ff796abf160a90606ebd4ee3eca37b4
SHA1 9212ca488c3f1a9bf006317172de28b4623eeaa4
SHA256 ee060bdfb14633f615d034eb3c862e10dc3fecaf292c1e1e52e25182fd2ed98b
SHA512 92e55c7e1d71754772698d05069ce8f77eecb0bbc1d42927482283b555d27957d1ccb829f2699553bd5ddc4e494d072bfe9ab4bc396bc478b8cf930824d31f23

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

MD5 9ff796abf160a90606ebd4ee3eca37b4
SHA1 9212ca488c3f1a9bf006317172de28b4623eeaa4
SHA256 ee060bdfb14633f615d034eb3c862e10dc3fecaf292c1e1e52e25182fd2ed98b
SHA512 92e55c7e1d71754772698d05069ce8f77eecb0bbc1d42927482283b555d27957d1ccb829f2699553bd5ddc4e494d072bfe9ab4bc396bc478b8cf930824d31f23

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

MD5 b2370a4d608610c0b4eac8d25f63e804
SHA1 5026177202cc34487f1be1ae2bb87a25c2b4e1a0
SHA256 df5991e15c4a3b94ff93017d775629c86b2afd1a13c852dcb78b53ccf0fb9742
SHA512 2d9b2ebfeeef0fd8c5100fd2f07cece5d5dae21f59ab5b477164f94fd0b66c7b495baecfdbc5d2038a470481f6fc30f76b2e297648cda19979ddcc492a79bd69

\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

MD5 0ed585616bc564d894e04013c2db9f21
SHA1 43ef62a926031f8e79a245bd4fc21ee41032add7
SHA256 0f04d4a41d2246841166b4969a00e0fc10ced422a451209653c5360a3b5f93d5
SHA512 dce212a99c66cce99d0d09b8eaae67265ce6e91c42c10a78b7cce55640191cfea5ceef6eb053fd5cb877b27fd244f9646e2315578cdafabcd204495c7934cc63

\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

MD5 0ed585616bc564d894e04013c2db9f21
SHA1 43ef62a926031f8e79a245bd4fc21ee41032add7
SHA256 0f04d4a41d2246841166b4969a00e0fc10ced422a451209653c5360a3b5f93d5
SHA512 dce212a99c66cce99d0d09b8eaae67265ce6e91c42c10a78b7cce55640191cfea5ceef6eb053fd5cb877b27fd244f9646e2315578cdafabcd204495c7934cc63

\Users\Admin\AppData\Local\Temp\A16E.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\A16E.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\A16E.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\A16E.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

MD5 0ed585616bc564d894e04013c2db9f21
SHA1 43ef62a926031f8e79a245bd4fc21ee41032add7
SHA256 0f04d4a41d2246841166b4969a00e0fc10ced422a451209653c5360a3b5f93d5
SHA512 dce212a99c66cce99d0d09b8eaae67265ce6e91c42c10a78b7cce55640191cfea5ceef6eb053fd5cb877b27fd244f9646e2315578cdafabcd204495c7934cc63

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

MD5 0ed585616bc564d894e04013c2db9f21
SHA1 43ef62a926031f8e79a245bd4fc21ee41032add7
SHA256 0f04d4a41d2246841166b4969a00e0fc10ced422a451209653c5360a3b5f93d5
SHA512 dce212a99c66cce99d0d09b8eaae67265ce6e91c42c10a78b7cce55640191cfea5ceef6eb053fd5cb877b27fd244f9646e2315578cdafabcd204495c7934cc63

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\A4C9.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\A4C9.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\AD52.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

C:\Users\Admin\AppData\Local\Temp\AD52.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

\Users\Admin\AppData\Local\Temp\AD52.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

C:\Users\Admin\AppData\Local\Temp\B06F.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

C:\Users\Admin\AppData\Local\Temp\B06F.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

\Users\Admin\AppData\Local\Temp\AD52.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

\Users\Admin\AppData\Local\Temp\AD52.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

C:\Users\Admin\AppData\Local\Temp\B2C1.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\B2C1.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\B2C1.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

\Users\Admin\AppData\Local\Temp\AD52.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/2540-170-0x0000000000240000-0x000000000024A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{876AF9E1-633A-11EE-9922-7AA063A69366}.dat

MD5 c83cc66555717cdf2ead3f7a7ef68284
SHA1 5dc506b39dfb14042f09caf9597f0ed2e25deaec
SHA256 804192fbd1ab7c0a66736f92da54d56bc157bed5e84224594cc1909708068a2d
SHA512 b5d029490c8a52a31a76c882c1c6d3c7fa9a057dcf11a820e0b75b234396a6e8d3df5c9934c09f2a5fdea2f7b6738bbef5049bb5b5c58e451090a882d18be3db

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\B66B.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2540-181-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B66B.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\BA23.exe

MD5 c5999a94094f1b68b36ecdb65e809730
SHA1 98cf102907fdbb1028a27f3373dcbadd90e6d9c6
SHA256 0283b90f2de0901b3321e21889e7f068b8ddeebe02cb910bf267edd2690c9b39
SHA512 7c518085c7601c9b3ed83178795ee9a6d2475dc0f2b067f3b385d5eb06c98979c4f661e32a9a99a5993e04df6b380e4ccab2a02985b1a8747c60a424f9c6c4f4

memory/3052-194-0x0000000001030000-0x000000000122C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBC3E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBDA9.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/3052-242-0x0000000001030000-0x000000000122C000-memory.dmp

memory/804-254-0x0000000000400000-0x000000000043E000-memory.dmp

memory/804-267-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 745b3105e9674458b7d09cdf3f1e022e
SHA1 fec54ecd86f3ebe6fb70de6f7d2b54d1f2ac46d4
SHA256 2e21b14584acdbeb363771c5a5ea26cae2356ed5687ee3081894a6bf2c60c724
SHA512 f7647812c83b8a738c01c6e1c9d4664cdb0c5bc5e2b229351f615f955ced7a831cc54b7c99e0ac1882a8713331e502a9c9ac20282af5a0b15cd5ffe416c609c6

memory/804-241-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3052-273-0x0000000001030000-0x000000000122C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c38a423d6eaea18a3a552d961c9c613
SHA1 61eeed9c35825d300bd9738845773938be9c4332
SHA256 4f416327973af16379b504f083e679b6e4e0a3344507eeeb643208884a12e622
SHA512 bdc9749277956db6c213202e17250e94d5619dfb3e90009f097ff87d6d4612ad305f5d4f093a2e1188cfa0501e584e8d83effa0051a9447303113382f5c6a3e0

memory/804-288-0x0000000000400000-0x000000000043E000-memory.dmp

memory/804-290-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46602e4f6867bd567c11ba2cee467cfe
SHA1 a970cfa1ab307d1093391f92c0b8aca13265a9d5
SHA256 4e1f5f8880bf559780164854596b72a0116d38268d7b7aaabd54b25f299c96d4
SHA512 cef6a60343bae0064179daaf2328511578471c35bd4b04f529dd590329cf74097f02ea4aa3bd73404b3ab414e190e721adef93274bfab7892277f55ee0559b19

memory/804-335-0x0000000070F90000-0x000000007167E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\186K4QOS\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\iehkyjx\imagestore.dat

MD5 f4643203c759feeda4e7cdc6af2bdee1
SHA1 2ad32f31abd61c7662e09e90dc145e5d6ef6052c
SHA256 711c9f488ff928d27ecb32bd6cd7a649e9ae6a97999f689e036a3e9d3ccf7c41
SHA512 8061329ccf04ff9c7af0ebdcdc4e615c53f03515c388024c5aedcf851e6b325891400aa32e1d2fe145b16bfacc8b7905074cbb25d06939f35ffe68e4fd9e5905

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPR9MST4\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/804-532-0x0000000007610000-0x0000000007650000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\iehkyjx\imagestore.dat

MD5 9b2c1bc21d59131eaeb1eaa5c4c4465e
SHA1 89e78dd651a433e2d992a830f87bdc68d99395f9
SHA256 119cc01178ac5e6404a8d2416dc3061711f462d32c6e9e6d8a175e3535fd833a
SHA512 ad30022ec3db58e2d65cd0f4213679f3dab927e43825876e14c938ff5ab0ff4e38c3648cfb328872c946592011a1cf2e0f7dd1d00eb1903088c766c9a5877a67

memory/2540-535-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7503a13360e688f3bab1d3465f6487a4
SHA1 45d77451fe5c244edc18d50d27136c5ce4732c6f
SHA256 acb8a8311aaf870633d1401edea84d121affeb112278f3600a568877ef8e4b8d
SHA512 9110a744c6aab4438d4f215eeb8914013c1f1950c81542632f93a65125fc063381d8e32d838c09fbd436131ccd5d5a548a5561f040f7e5c1c2c9d4bf2b3cc474

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7b61103b2abc5e314aedd53e27fa84b
SHA1 b8462f4d450bb79173bec149f6696727d794ff9a
SHA256 3bb5756c2bf5c20e50707c3e50c1f1b527081a33800fcda7d0657af053563c99
SHA512 82f6c0f6e4f4365b472bd4cf18850bdd5102b3c948a8b14ae323f0906cf6610a0af8ff987120feed29ff3bb7a3ff19f65f3457e00415491176a0d1a287976b1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15c82a2e0de106e643a8f6cb441b66ba
SHA1 9ca9dd3d02f5bc8aab7751024fc842dd3493c505
SHA256 40e0a30b4677d68614bcd3201322c6ed24febaec0a0ffbac3e385cfba073a7e3
SHA512 3a0f6819770e23aa703893401fa700935f17772a11d4a8734fb9815d5227592851a5d7567567ded5c051b27230841170b14da816d9af5ea069f20e31a7516858

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 060797f584dce5982ddb310b9ee8c744
SHA1 4befc929cd6b00821801522948c2ac533d2c76a5
SHA256 92aeb73af5af67fa10013b5b95c12c3ab32172ff4c1e3b5f6e89dfbb662592b9
SHA512 8da1b56fc44ae0a914651674c5ce2f81d5ce7e6b3b6103e948636eff04b06a0af11c3efea33aa648b654e5bbfa953ec7adf823097e3ca8a3edf223d0b8952892

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8377abcf98273566fb025a77dfba9eb
SHA1 a8f0c8ffd01c0c079ebefcc5d2014c4e2e843ba9
SHA256 bfbdad8d6211944c6bdc14b83bc52f809525fb67189c9328016e28318c0e1042
SHA512 32db689c8e1e67642e3fb3fe4b39cf21d892fb1d030e440c89456e3a539b5a981a69936400867caaa399783401b60be19383729dbae1dc9c0da99385feccc028

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65409a06f46ce2a4050130f1a2921000
SHA1 0536c05e99ca6ec8adebe6d496978bdc8bd5d011
SHA256 15e0c9065c6037c51bf78b3600732a9d97433fbfdf03ea4e75bbd2ded10b4bb6
SHA512 0b6c2931bcdb93df89f705ccfded43c2df73fd4fe7b4120ca10ea9d0a56519854dc3470ced7bbfe1c220d1074cf0ffd857961d622ff1ec57090910c3e65a2306

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 783d783486f85db6590d4611298bc0c9
SHA1 5a6153ce5a8aeca599db5bfee6a92967299c9b6d
SHA256 4c7b1ca263e7e76090c044c514c4e59b169a42431ee2c775cac58f85bfd71a69
SHA512 fc3408ef82b25bcb94bfad12ec174c85866c264ebfeb102bec099111ffd11671a5f67ca119fda82cbafee4c7febda285a667c032758cec2f1babf41c3e693aad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3f00390b777b96d3baf7ffce79ec7d9
SHA1 7339f09558fc25d1de93c0d203c59bc41d8c28a5
SHA256 ea12cb798216c94a585b6b943448c6437893af155d60651aaa35024a567a94c0
SHA512 54c5b170550f298031faff883d061211891800f9dacd74fbf1eaf3dc034f9cdf3e5012d92b36e4cb0ab4d86d944e17324b66c1ef368089ad115c88e8fd6b9db5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30b987059baad3ea758eaddc7aa5ddad
SHA1 1b834ecbe32bb5ff9dbffd791b00d8022c19f5ff
SHA256 5c2e0c6bcff8f93b06694937ed7916c66f7cbec5998316ecd0d6509b9b2c34ea
SHA512 0b0643fa4b8ebec0c32ba2992e17b43aeb4585406cb5543a56ff6831a51a80693a6ab2bd08905d73c866cbf068283716b6acf139e1e3fa2c5face6d0b4cf4e59

memory/2540-857-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/804-966-0x0000000070F90000-0x000000007167E000-memory.dmp

memory/804-967-0x0000000007610000-0x0000000007650000-memory.dmp

memory/804-968-0x0000000070F90000-0x000000007167E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Roaming\cediatc

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Roaming\cediatc

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25a89fdecac22fd6f76682e9101d7dd2
SHA1 c67925fc09d7812d816c49d3c7b393f1ba391953
SHA256 8d90a141fe23391244d1ef21f4d4865249005216f857a633903c86a27dd98173
SHA512 d314348fb1b9ba5943096f97d4f03625b1b37e67f783ffbb2d2d0cd1da12959c66793daedebfc018ca099663cbdf45eb6bf41162e51fffb11fac9ce125905399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 469ed2dc2307e0231aff71bf58b8fc17
SHA1 276180d2cebeaaf63d6775e736486bd013a0246d
SHA256 5ca184c28a6f3fc247e0a7d98654c11842d32b5810df65e93761d1cebb75526c
SHA512 b25d0e31ae55a616db7295aea16e3211397d4b8d89361dd2c9586a280340652c87b2f28776f6a1b9b7e497e8580d1a535b5062c8ae549949217928fdcb555390

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d687a579b51f71e19039b11f458c017
SHA1 cda54b6a0dd2f7c23813cfd46d04c87fe5def32f
SHA256 65a9c0f44945e88d9f321dd66f3aeb1ca533be1c98c94e5a93bdb4843acec40f
SHA512 cc0fe94c36a81804f8e2ae7f22dd660630f4aadf045ce1932e9e5a415ed569a75b43768d29edd01f977ee68cbef182babddf473ef4e287d3cb6b5dbe65a24c93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71ff33142610fb8f2a1d24433d34e9a2
SHA1 337f95f81134f76f038deac067a59fce8bc8f0eb
SHA256 f69c34160fe51ae4e2d591445de02cd6793f6680206a36d81ce8f2bc8afe4219
SHA512 d0a73cfbfcdf296c3993692af2a066090a540f56f0d1a8afc3a45d6a232f27ca8ce535456d1b72c61c0cfca8456bda35bcaed652c80283425ed215d19a2efc09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ca28c91231a7ab9211b66bfbb9bb3e7
SHA1 f8668c24551fe30372bf4e93c271bb5da2933e5f
SHA256 f74a95219c7b30b07b6efcca8060f44f53c70b3d359fa60a62c4e3b84292c71d
SHA512 b42372a526370fa09d0e8806d9948803070048827a35fbec55e4a4c567331b1cacf4669cb0e88ebb32e38ba39034642ca53baf447b24fbaed8f646a5d87abbe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30b424bd971c6568b6f641cee9da238f
SHA1 48c18225ee6a5310a7806c0b264f1893db226895
SHA256 e2076a1d333de79af1456979193c5e2d272d21a9ae6bfb1a94d62e928218f1e5
SHA512 ec1063fa3c3e68e424c30900df2dcf52f8b82610f0b5c8c873471eedf68f5806b7a556228d2bda3b9e7483c7ca335199e24e6013854e545222f604ede50cd63e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 395bb73ca9d564d6946ed000c6c5e7a4
SHA1 530342aff1068ae39d159898f51c65b093ccd1b7
SHA256 038b6bc5a61e58d956ddafd309fc4ffe6727f5f8810d49e415087e5506f26ac3
SHA512 feee3cae400a65716621564ef02ed1d921914f7bbe54c361f48d0f7486f13649e3eb752b00017a4b9cb6d0482d080819662dfdeac09b814aed87b0962c47cd78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39f8903077001e7af2fc53797c4f78af
SHA1 b484343c1f19c21eb168a31402afc96699677665
SHA256 ae604021d39d9a77b229193a4841742a54e425a5f329334751ab743a0b35778f
SHA512 b61f98483e189588d3bf411f99a10680def2917598c1173e7158f7f99b42dc2ff70bbc9ec7b72bbbdeeead337fcdde8a3feaec12292c87c0587f44759a41acaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2243c144bec4fc86d5ead36c6b1fbcd
SHA1 5d79984e4350e31c76ede1ee0dcfec6360dff83a
SHA256 500b895756e2d4b5076f35f07be13861111e02ebef954051a2e170e95d7e2520
SHA512 f55f8ec91bf6767d71478a3c722533d933c7c7fc5b3b3e5324e200c12b1a57b7c2db78e71025d5517efd226bfc429a49a2392a100430fb28d8d708fddbcbb5f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 709bde03fa7250f2708a43188d2e76fe
SHA1 799517b0347215aeacaf04c38a6b1003b1719661
SHA256 f04e3be5250dbe0e5a7aaa2d0353c49436afa36da551e6af9e56901efc82ffc4
SHA512 6b05fbe6b4416b7a16ea98ed3734d01293d153ed019259e41bf3712a7464bd369afa840dfa1f51a173c50e71852d88cab74079c0322a793db9175a1ae5cf71fb

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 04:48

Reported

2023-10-05 04:53

Platform

win10-20230915-en

Max time kernel

33s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\E474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b2b2604b47f7d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FA90.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3560 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3560 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3560 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3560 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3560 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3240 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\E474.exe
PID 3240 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\E474.exe
PID 3240 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\E474.exe
PID 1288 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\E474.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 1288 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\E474.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 1288 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\E474.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe
PID 760 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 760 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 760 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe
PID 4772 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 4772 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 4772 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe
PID 3552 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 3552 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 3552 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe
PID 3240 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe
PID 3240 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe
PID 3240 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe
PID 3076 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 3076 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 3076 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\E7C1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3240 wrote to memory of 5008 N/A N/A C:\Windows\system32\cmd.exe
PID 3240 wrote to memory of 5008 N/A N/A C:\Windows\system32\cmd.exe
PID 3240 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe
PID 3240 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe
PID 3240 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe
PID 3240 wrote to memory of 4116 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA90.exe
PID 3240 wrote to memory of 4116 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA90.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\F8BB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3240 wrote to memory of 5052 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDCE.exe
PID 3240 wrote to memory of 5052 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDCE.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe

"C:\Users\Admin\AppData\Local\Temp\961dc505a86a3e0db5c77d3ad4c966cfcd43ec23e94190a879a2b171b930beb3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172

C:\Users\Admin\AppData\Local\Temp\E474.exe

C:\Users\Admin\AppData\Local\Temp\E474.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

C:\Users\Admin\AppData\Local\Temp\E7C1.exe

C:\Users\Admin\AppData\Local\Temp\E7C1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EB8B.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\F8BB.exe

C:\Users\Admin\AppData\Local\Temp\F8BB.exe

C:\Users\Admin\AppData\Local\Temp\FA90.exe

C:\Users\Admin\AppData\Local\Temp\FA90.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\FDCE.exe

C:\Users\Admin\AppData\Local\Temp\FDCE.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\B7C.exe

C:\Users\Admin\AppData\Local\Temp\B7C.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\12C0.exe

C:\Users\Admin\AppData\Local\Temp\12C0.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 254.35.24.67.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 95.214.25.204:80 95.214.25.204 tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 204.25.214.95.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 ji.alie3ksgdd.com udp
US 172.67.143.192:80 ji.alie3ksgdd.com tcp
US 8.8.8.8:53 192.143.67.172.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 95.214.27.254:80 tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp

Files

memory/2288-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2288-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3240-4-0x0000000000760000-0x0000000000776000-memory.dmp

memory/2288-5-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E474.exe

MD5 311b8e9d4a3084f26e1035ead880ba69
SHA1 7e198a922c3b0bbd72e898724c9b142c722b3e8c
SHA256 5fb3469b518dc772d6c9528f4bbb94224819e54bd0b7933ec37529169f716f82
SHA512 6a4d2955caad3f809f3e926c89497afd26f178280b42e25be857512554fb69c6d13c9719b7e517a4cc1ad4a7c418ffe989e2a67debeb34d7d4b72bff1ad8c224

C:\Users\Admin\AppData\Local\Temp\E474.exe

MD5 311b8e9d4a3084f26e1035ead880ba69
SHA1 7e198a922c3b0bbd72e898724c9b142c722b3e8c
SHA256 5fb3469b518dc772d6c9528f4bbb94224819e54bd0b7933ec37529169f716f82
SHA512 6a4d2955caad3f809f3e926c89497afd26f178280b42e25be857512554fb69c6d13c9719b7e517a4cc1ad4a7c418ffe989e2a67debeb34d7d4b72bff1ad8c224

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

MD5 c01c845d6a76fcd2acbebe2ecaadd33c
SHA1 b11171fbdb7e27f72d20d2386e89a5f6cd4a2277
SHA256 a8735e8205d9fb0270e671c8298d3464bf03b3da5d715cbc30c5d6a947e3cc6d
SHA512 616e08bdd9ddaf715b0a6e045c74987be1ce5295f6dc8664483a83bba4b0f1e58eda893b4e6535a4abd7828849b67ee6f5ae90d771ea6767aa0eb5d7059b3957

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ba3Im7ez.exe

MD5 c01c845d6a76fcd2acbebe2ecaadd33c
SHA1 b11171fbdb7e27f72d20d2386e89a5f6cd4a2277
SHA256 a8735e8205d9fb0270e671c8298d3464bf03b3da5d715cbc30c5d6a947e3cc6d
SHA512 616e08bdd9ddaf715b0a6e045c74987be1ce5295f6dc8664483a83bba4b0f1e58eda893b4e6535a4abd7828849b67ee6f5ae90d771ea6767aa0eb5d7059b3957

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

MD5 9ff796abf160a90606ebd4ee3eca37b4
SHA1 9212ca488c3f1a9bf006317172de28b4623eeaa4
SHA256 ee060bdfb14633f615d034eb3c862e10dc3fecaf292c1e1e52e25182fd2ed98b
SHA512 92e55c7e1d71754772698d05069ce8f77eecb0bbc1d42927482283b555d27957d1ccb829f2699553bd5ddc4e494d072bfe9ab4bc396bc478b8cf930824d31f23

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wB8Uf1HI.exe

MD5 9ff796abf160a90606ebd4ee3eca37b4
SHA1 9212ca488c3f1a9bf006317172de28b4623eeaa4
SHA256 ee060bdfb14633f615d034eb3c862e10dc3fecaf292c1e1e52e25182fd2ed98b
SHA512 92e55c7e1d71754772698d05069ce8f77eecb0bbc1d42927482283b555d27957d1ccb829f2699553bd5ddc4e494d072bfe9ab4bc396bc478b8cf930824d31f23

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

MD5 b2370a4d608610c0b4eac8d25f63e804
SHA1 5026177202cc34487f1be1ae2bb87a25c2b4e1a0
SHA256 df5991e15c4a3b94ff93017d775629c86b2afd1a13c852dcb78b53ccf0fb9742
SHA512 2d9b2ebfeeef0fd8c5100fd2f07cece5d5dae21f59ab5b477164f94fd0b66c7b495baecfdbc5d2038a470481f6fc30f76b2e297648cda19979ddcc492a79bd69

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cH6YD8NC.exe

MD5 b2370a4d608610c0b4eac8d25f63e804
SHA1 5026177202cc34487f1be1ae2bb87a25c2b4e1a0
SHA256 df5991e15c4a3b94ff93017d775629c86b2afd1a13c852dcb78b53ccf0fb9742
SHA512 2d9b2ebfeeef0fd8c5100fd2f07cece5d5dae21f59ab5b477164f94fd0b66c7b495baecfdbc5d2038a470481f6fc30f76b2e297648cda19979ddcc492a79bd69

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

MD5 0ed585616bc564d894e04013c2db9f21
SHA1 43ef62a926031f8e79a245bd4fc21ee41032add7
SHA256 0f04d4a41d2246841166b4969a00e0fc10ced422a451209653c5360a3b5f93d5
SHA512 dce212a99c66cce99d0d09b8eaae67265ce6e91c42c10a78b7cce55640191cfea5ceef6eb053fd5cb877b27fd244f9646e2315578cdafabcd204495c7934cc63

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dX95mj1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\E7C1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\E7C1.exe

MD5 f3f2f8b5752ef75807bb50f7cdca9813
SHA1 0b4c8a7da527a45432922e8f6eaddc5959165ae1
SHA256 0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d
SHA512 6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HZ5Ax2CC.exe

MD5 0ed585616bc564d894e04013c2db9f21
SHA1 43ef62a926031f8e79a245bd4fc21ee41032add7
SHA256 0f04d4a41d2246841166b4969a00e0fc10ced422a451209653c5360a3b5f93d5
SHA512 dce212a99c66cce99d0d09b8eaae67265ce6e91c42c10a78b7cce55640191cfea5ceef6eb053fd5cb877b27fd244f9646e2315578cdafabcd204495c7934cc63

memory/3284-54-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2544-64-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2544-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3284-65-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3284-63-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3284-68-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2544-69-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB8B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/3284-71-0x0000000000400000-0x0000000000428000-memory.dmp

memory/352-72-0x0000022044B20000-0x0000022044B30000-memory.dmp

memory/352-88-0x0000022045280000-0x0000022045290000-memory.dmp

memory/352-107-0x0000022043E40000-0x0000022043E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F8BB.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

C:\Users\Admin\AppData\Local\Temp\F8BB.exe

MD5 630db5d59b0659769e88d79dcb8a8f97
SHA1 b0f88528ceb4d60a1a20f0e09665922cbd9eb711
SHA256 b44b37f30f08965b2107ae48baa82cc5667887ef0a7d0bc12bc65437630a85ef
SHA512 c0882c82949a54f6a2d1e2ff9a1d86e56003bb094e780a5c5c06f07aa7634a61ca91ba7304c83ad1613521346812b616bd15e99cee2b7be2ec33047ee223d7b7

C:\Users\Admin\AppData\Local\Temp\FA90.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

C:\Users\Admin\AppData\Local\Temp\FA90.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/4116-124-0x0000000000450000-0x000000000045A000-memory.dmp

memory/4116-129-0x00007FFC1D570000-0x00007FFC1DF5C000-memory.dmp

memory/1712-138-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 52f7b8d18ff495889b46dd9e946a1e8b
SHA1 ed7c973922e760951ff414970f985833effe7c28
SHA256 7dec6a017e97e85ffcfb6a0ce7c1562bbc0b32732f485806f2b0fd67c329a3f2
SHA512 b081d0820b3a689173c67d20b8d740b1cff542913b3ec33788bdd44050201ad34ac55a152835b929cfbcd7e015b45338fe4a6127f810444fa70049d3184d9389

C:\Users\Admin\AppData\Local\Temp\FDCE.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\FDCE.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/1712-168-0x0000000072BD0000-0x00000000732BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 69d468f64dc451287c4d2af9e7e1e649
SHA1 7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256 e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512 b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

memory/1712-183-0x000000000C280000-0x000000000C77E000-memory.dmp

memory/1712-192-0x000000000BD80000-0x000000000BE12000-memory.dmp

memory/1712-224-0x000000000BF30000-0x000000000BF40000-memory.dmp

memory/4532-227-0x000002AB1EC00000-0x000002AB1ED00000-memory.dmp

memory/1712-229-0x0000000009980000-0x000000000998A000-memory.dmp

memory/4532-235-0x000002AB1E860000-0x000002AB1E880000-memory.dmp

memory/1712-256-0x000000000CD90000-0x000000000D396000-memory.dmp

memory/1712-262-0x000000000BF60000-0x000000000BF72000-memory.dmp

memory/1712-260-0x000000000C050000-0x000000000C15A000-memory.dmp

memory/1712-266-0x000000000BFC0000-0x000000000BFFE000-memory.dmp

memory/4532-276-0x000002AB1EB00000-0x000002AB1EC00000-memory.dmp

memory/4532-293-0x000002AB1E860000-0x000002AB1E880000-memory.dmp

memory/1712-292-0x000000000C000000-0x000000000C04B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7C.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B7C.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4532-356-0x000002AB1F0E0000-0x000002AB1F1E0000-memory.dmp

memory/4532-413-0x000002AB1E6C0000-0x000002AB1E6C2000-memory.dmp

memory/4532-417-0x000002AB1FCA0000-0x000002AB1FDA0000-memory.dmp

memory/4532-423-0x000002AB1E950000-0x000002AB1E952000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4532-427-0x000002AB1E990000-0x000002AB1E992000-memory.dmp

memory/4532-435-0x000002AB1E700000-0x000002AB1E702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12C0.exe

MD5 c5999a94094f1b68b36ecdb65e809730
SHA1 98cf102907fdbb1028a27f3373dcbadd90e6d9c6
SHA256 0283b90f2de0901b3321e21889e7f068b8ddeebe02cb910bf267edd2690c9b39
SHA512 7c518085c7601c9b3ed83178795ee9a6d2475dc0f2b067f3b385d5eb06c98979c4f661e32a9a99a5993e04df6b380e4ccab2a02985b1a8747c60a424f9c6c4f4

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4532-457-0x000002AB1E750000-0x000002AB1E752000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6GLEL24P\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/352-440-0x000002204BBB0000-0x000002204BBB1000-memory.dmp

memory/352-439-0x000002204BBA0000-0x000002204BBA1000-memory.dmp

memory/4532-461-0x000002AB1E770000-0x000002AB1E772000-memory.dmp

memory/4420-459-0x00000000001F0000-0x00000000003EC000-memory.dmp

memory/4532-463-0x000002AB1E9F0000-0x000002AB1E9F2000-memory.dmp

memory/4532-467-0x000002AB1F1E0000-0x000002AB1F1E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12C0.exe

MD5 c5999a94094f1b68b36ecdb65e809730
SHA1 98cf102907fdbb1028a27f3373dcbadd90e6d9c6
SHA256 0283b90f2de0901b3321e21889e7f068b8ddeebe02cb910bf267edd2690c9b39
SHA512 7c518085c7601c9b3ed83178795ee9a6d2475dc0f2b067f3b385d5eb06c98979c4f661e32a9a99a5993e04df6b380e4ccab2a02985b1a8747c60a424f9c6c4f4

memory/4532-472-0x000002AB1F1F0000-0x000002AB1F1F2000-memory.dmp

memory/4532-479-0x000002AB20A00000-0x000002AB20B00000-memory.dmp

memory/4420-492-0x00000000001F0000-0x00000000003EC000-memory.dmp

memory/4420-508-0x00000000001F0000-0x00000000003EC000-memory.dmp

memory/4116-511-0x00007FFC1D570000-0x00007FFC1DF5C000-memory.dmp

memory/4552-512-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1712-514-0x0000000072BD0000-0x00000000732BE000-memory.dmp

memory/4552-517-0x0000000072BD0000-0x00000000732BE000-memory.dmp

memory/4552-523-0x000000000BCA0000-0x000000000BCB0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\QHT6483Z.cookie

MD5 3033aae13cb1661db1619709a4bec7de
SHA1 ed0aa32cb5492461ee13fc28a41bd75868631573
SHA256 74ecf274e7f8ba46e38b991e1514592255f46c28c530f31cc15c2ebda20e1d50
SHA512 e7d06e23b8db264659ca6ba72ecc0cd3e12c0faef93d5d38469e7651c931382c26561fa6da4692ed9c9ee00a13c703bc4ff102972e7b0b70abf9cd5688093054

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\1000494001\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/4116-552-0x00007FFC1D570000-0x00007FFC1DF5C000-memory.dmp

memory/5480-553-0x00007FF6B7E70000-0x00007FF6B7EDA000-memory.dmp

memory/1712-554-0x000000000BF30000-0x000000000BF40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 279815969e454e74c9c1b045fb672f8e
SHA1 b207a74f1c34bc07b13f1f4299f62c9b3275ea35
SHA256 91724b330676807796873d10b2318db037545ab6760ad8cf14aaef2ba0125edf
SHA512 abee6bd1c37cf479d515ef2090bda40ac75c5114c5978981c8f636237669364e349ffd943c1c2a0b3bc84d815c0015f0504dbc23479fa2424761ff4fc7369ddd

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 bea8a58e83b85f772d2bd831991a7207
SHA1 b8c27f645c48af4baccd2bad5ddc5c592a4c1acc
SHA256 f850af37618f8d74894a9dd01b5c932b62e14cfe27b45a6475b5d4721a8dd6c6
SHA512 e15d2fd31274c512176317ddbaf4164aab766c4998dd21a78e731622100aee057a56a8c78693ed236ff8ca054f17d3ad1366885796766fd17a666647388d95e3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 2fd586fc07540fb405392b4a51fc4d95
SHA1 56a237324f4f2ac935401e7ea2a1751084950aac
SHA256 b6fda2ea95f4c4b24c0f1ee048ebb5572cc5e3b682dde37eacdb9ec51b311dd5
SHA512 771e8360fc4bc88a631dc9327cc5f7fd2aa91359099ca82b3cf4c1c66226ca464628ffb91152a225815cd8a1fac7788a15ef811565a16dbab030f8c794245998

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 7ab2b7bd8abd9a4e991bcf65cab358cb
SHA1 193710cb67986eb5e715084c849f45a5bdbf45b0
SHA256 b05ee952824411ddca8be42b3064bbc38b9ebeb1d5b87845304e5c04b921a92c
SHA512 508561ea14783fa01a09f74b66a96d2ab111af71e3f85f37765e4e73e8e394de214d5db4a5848d47e458bff24dcf848cc5043dcae2c5153f08b8e3f8303a3c36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dbe229b55b31b4938e0e528b4fc7bc53
SHA1 abada084d6e300e6f8051242543a96ecb56b9a42
SHA256 dae58f95414f813e1e7f8a6480ee10ba2fcd8e2e17587efd7c1969957de1b182
SHA512 7c3a63248465cb1d7feb96a9d9538f7322b79b254191b091caf1d3facd5ebf129dd2ae1c561f637fc6fc4215b705e22958aa7c6c405601401c466788a6656dcb

memory/5480-599-0x0000000003470000-0x00000000035E1000-memory.dmp

memory/5480-600-0x00000000035F0000-0x0000000003721000-memory.dmp

memory/4552-622-0x000000000C580000-0x000000000C5E6000-memory.dmp

memory/4552-625-0x0000000072BD0000-0x00000000732BE000-memory.dmp

memory/4552-633-0x000000000D4D0000-0x000000000D692000-memory.dmp

memory/4552-632-0x000000000BCA0000-0x000000000BCB0000-memory.dmp

memory/4552-634-0x000000000DBD0000-0x000000000E0FC000-memory.dmp

memory/4552-993-0x000000000D430000-0x000000000D480000-memory.dmp

memory/5480-1004-0x00000000035F0000-0x0000000003721000-memory.dmp