Analysis Overview
SHA256
3c53812acc6c7331c2bd86c8f29e3500b040c945ebdbcaec4e8b0fb63e9b6aa3
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Amadey
Detects Healer an antivirus disabler dropper
SectopRAT
SmokeLoader
SectopRAT payload
RedLine
Glupteba payload
Glupteba
RedLine payload
Healer
Modifies Windows Defender Real-time Protection settings
DcRat
Downloads MZ/PE file
Windows security modification
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 21:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 21:45
Reported
2023-10-10 21:48
Platform
win7-20230831-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2544 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 268
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
| MD5 | 329da0069bb2125b78e45b5248d186ed |
| SHA1 | c2fd67c3c0d5dd1904827cbed13c674d86952d5f |
| SHA256 | 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159 |
| SHA512 | 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
| MD5 | 329da0069bb2125b78e45b5248d186ed |
| SHA1 | c2fd67c3c0d5dd1904827cbed13c674d86952d5f |
| SHA256 | 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159 |
| SHA512 | 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
| MD5 | 329da0069bb2125b78e45b5248d186ed |
| SHA1 | c2fd67c3c0d5dd1904827cbed13c674d86952d5f |
| SHA256 | 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159 |
| SHA512 | 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
| MD5 | 329da0069bb2125b78e45b5248d186ed |
| SHA1 | c2fd67c3c0d5dd1904827cbed13c674d86952d5f |
| SHA256 | 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159 |
| SHA512 | 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
| MD5 | 1c28ec10c263eab4b6413b280d108d46 |
| SHA1 | bb5d7812bbb014f58057d0dfbb9e596db44f6cc7 |
| SHA256 | 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be |
| SHA512 | 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
| MD5 | 1c28ec10c263eab4b6413b280d108d46 |
| SHA1 | bb5d7812bbb014f58057d0dfbb9e596db44f6cc7 |
| SHA256 | 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be |
| SHA512 | 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
| MD5 | 1c28ec10c263eab4b6413b280d108d46 |
| SHA1 | bb5d7812bbb014f58057d0dfbb9e596db44f6cc7 |
| SHA256 | 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be |
| SHA512 | 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
| MD5 | 1c28ec10c263eab4b6413b280d108d46 |
| SHA1 | bb5d7812bbb014f58057d0dfbb9e596db44f6cc7 |
| SHA256 | 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be |
| SHA512 | 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
| MD5 | 7dbda2a911a3c08bc3ac4539e4096cf6 |
| SHA1 | 033907f8b2bf668cf2ab1de228e14ab2d490041a |
| SHA256 | aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5 |
| SHA512 | e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
| MD5 | 7dbda2a911a3c08bc3ac4539e4096cf6 |
| SHA1 | 033907f8b2bf668cf2ab1de228e14ab2d490041a |
| SHA256 | aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5 |
| SHA512 | e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
| MD5 | 7dbda2a911a3c08bc3ac4539e4096cf6 |
| SHA1 | 033907f8b2bf668cf2ab1de228e14ab2d490041a |
| SHA256 | aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5 |
| SHA512 | e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
| MD5 | 7dbda2a911a3c08bc3ac4539e4096cf6 |
| SHA1 | 033907f8b2bf668cf2ab1de228e14ab2d490041a |
| SHA256 | aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5 |
| SHA512 | e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/2784-40-0x00000000003E0000-0x00000000003FE000-memory.dmp
memory/2784-41-0x0000000001F10000-0x0000000001F2C000-memory.dmp
memory/2784-42-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-43-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-45-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-47-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-53-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-59-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-67-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-69-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-65-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-63-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-61-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-57-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-55-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-51-0x0000000001F10000-0x0000000001F26000-memory.dmp
memory/2784-49-0x0000000001F10000-0x0000000001F26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
memory/3028-77-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-79-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3028-81-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-83-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-80-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-78-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-76-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-85-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-87-0x0000000000400000-0x0000000000433000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 21:45
Reported
2023-10-10 21:48
Platform
win10v2004-20230915-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E126.bat | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EA41.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\BAA0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3772 set thread context of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5068 set thread context of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1924 set thread context of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 220 set thread context of 3080 | N/A | C:\Users\Admin\AppData\Local\Temp\D7CE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4356 set thread context of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\E3F5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3100 set thread context of 5280 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E6B6.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3772 -ip 3772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2292 -ip 2292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 592
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3AC2.tmp\3AC3.tmp\3AC4.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1937460803996180796,11078827719081635513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1937460803996180796,11078827719081635513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\BAA0.exe
C:\Users\Admin\AppData\Local\Temp\BAA0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
C:\Users\Admin\AppData\Local\Temp\D7CE.exe
C:\Users\Admin\AppData\Local\Temp\D7CE.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe
C:\Users\Admin\AppData\Local\Temp\E126.bat
"C:\Users\Admin\AppData\Local\Temp\E126.bat"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 220 -ip 220
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E2CA.tmp\E2CB.tmp\E2CC.bat C:\Users\Admin\AppData\Local\Temp\E126.bat"
C:\Users\Admin\AppData\Local\Temp\E3F5.exe
C:\Users\Admin\AppData\Local\Temp\E3F5.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 408
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe
C:\Users\Admin\AppData\Local\Temp\E6B6.exe
C:\Users\Admin\AppData\Local\Temp\E6B6.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4356 -ip 4356
C:\Users\Admin\AppData\Local\Temp\EA41.exe
C:\Users\Admin\AppData\Local\Temp\EA41.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 388
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3100 -ip 3100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5280 -ip 5280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 540
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\338F.exe
C:\Users\Admin\AppData\Local\Temp\338F.exe
C:\Users\Admin\AppData\Local\Temp\9306.exe
C:\Users\Admin\AppData\Local\Temp\9306.exe
C:\Users\Admin\AppData\Local\Temp\9808.exe
C:\Users\Admin\AppData\Local\Temp\9808.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\9C8D.exe
C:\Users\Admin\AppData\Local\Temp\9C8D.exe
C:\Users\Admin\AppData\Local\Temp\source1.exe
"C:\Users\Admin\AppData\Local\Temp\source1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1952 -ip 1952
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 804
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| CZ | 157.240.30.27:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 27.30.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | facebook.com | udp |
| CZ | 157.240.30.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 35.30.240.157.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| CZ | 157.240.30.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tak.soydet.top | udp |
| FI | 95.217.246.182:8443 | tak.soydet.top | tcp |
| US | 8.8.8.8:53 | 182.246.217.95.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
| MD5 | 329da0069bb2125b78e45b5248d186ed |
| SHA1 | c2fd67c3c0d5dd1904827cbed13c674d86952d5f |
| SHA256 | 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159 |
| SHA512 | 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
| MD5 | 329da0069bb2125b78e45b5248d186ed |
| SHA1 | c2fd67c3c0d5dd1904827cbed13c674d86952d5f |
| SHA256 | 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159 |
| SHA512 | 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
| MD5 | 1c28ec10c263eab4b6413b280d108d46 |
| SHA1 | bb5d7812bbb014f58057d0dfbb9e596db44f6cc7 |
| SHA256 | 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be |
| SHA512 | 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
| MD5 | 1c28ec10c263eab4b6413b280d108d46 |
| SHA1 | bb5d7812bbb014f58057d0dfbb9e596db44f6cc7 |
| SHA256 | 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be |
| SHA512 | 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
| MD5 | 7dbda2a911a3c08bc3ac4539e4096cf6 |
| SHA1 | 033907f8b2bf668cf2ab1de228e14ab2d490041a |
| SHA256 | aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5 |
| SHA512 | e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
| MD5 | 7dbda2a911a3c08bc3ac4539e4096cf6 |
| SHA1 | 033907f8b2bf668cf2ab1de228e14ab2d490041a |
| SHA256 | aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5 |
| SHA512 | e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/1344-29-0x0000000074960000-0x0000000075110000-memory.dmp
memory/1344-28-0x00000000021C0000-0x00000000021DE000-memory.dmp
memory/1344-30-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/1344-31-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/1344-32-0x0000000004A50000-0x0000000004FF4000-memory.dmp
memory/1344-33-0x0000000004990000-0x00000000049AC000-memory.dmp
memory/1344-34-0x0000000074960000-0x0000000075110000-memory.dmp
memory/1344-35-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/1344-36-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/1344-37-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-38-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-40-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-42-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-44-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-46-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-48-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-50-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-52-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-54-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-56-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-58-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-62-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-60-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-64-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1344-66-0x0000000074960000-0x0000000075110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
| MD5 | eb224ab4447fd162331de829a25cd323 |
| SHA1 | bc548105ff28c7df16c2bad188e84347ac545fac |
| SHA256 | 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0 |
| SHA512 | 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c |
memory/2292-70-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2292-71-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2292-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2292-74-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
| MD5 | d10f16c23811c0b3a027f827e821d67f |
| SHA1 | 306ef00dc0683f682be9b0c92299c1f08541823b |
| SHA256 | 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733 |
| SHA512 | 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
| MD5 | d10f16c23811c0b3a027f827e821d67f |
| SHA1 | 306ef00dc0683f682be9b0c92299c1f08541823b |
| SHA256 | 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733 |
| SHA512 | 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d |
memory/4660-78-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4660-79-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
| MD5 | c92d8cd32f721c00c64249e4dcf22445 |
| SHA1 | cac151798204da5dd18f33ed8f9ea456fe80e138 |
| SHA256 | 68f65207fc721f60d56ccabf09b792728ae0624b9aebe579de8264001d23f6a7 |
| SHA512 | cb464382a477eaaf44e920835e4806dd9211a425c1067c30f1ceca39ca65327a4b18f8a6148abb60026727031d05a9ad44a8b52f12547f4ec2c4648682eabddd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
| MD5 | c92d8cd32f721c00c64249e4dcf22445 |
| SHA1 | cac151798204da5dd18f33ed8f9ea456fe80e138 |
| SHA256 | 68f65207fc721f60d56ccabf09b792728ae0624b9aebe579de8264001d23f6a7 |
| SHA512 | cb464382a477eaaf44e920835e4806dd9211a425c1067c30f1ceca39ca65327a4b18f8a6148abb60026727031d05a9ad44a8b52f12547f4ec2c4648682eabddd |
memory/4148-83-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4148-84-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/4148-85-0x0000000007B80000-0x0000000007C12000-memory.dmp
memory/4148-86-0x0000000007DF0000-0x0000000007E00000-memory.dmp
memory/4148-87-0x0000000007C20000-0x0000000007C2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
| MD5 | fbfb7c87403163c4e9bba4dd3e7a23e2 |
| SHA1 | 133c3a05314c9517135291d248faa98cd01a906d |
| SHA256 | d1a18fad8c23f0f746eef147abade6e8b787f53cbc403f5a9874e97d84f767dc |
| SHA512 | 9f6dba5976062ad4be3bee1f71accb3a266d812b3109dd1c73a552054d78d4be23fedfbf4b13a2941046d10b65712d500116eb310046dd04f6bf7552018bc3d8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
| MD5 | fbfb7c87403163c4e9bba4dd3e7a23e2 |
| SHA1 | 133c3a05314c9517135291d248faa98cd01a906d |
| SHA256 | d1a18fad8c23f0f746eef147abade6e8b787f53cbc403f5a9874e97d84f767dc |
| SHA512 | 9f6dba5976062ad4be3bee1f71accb3a266d812b3109dd1c73a552054d78d4be23fedfbf4b13a2941046d10b65712d500116eb310046dd04f6bf7552018bc3d8 |
memory/4148-92-0x0000000008C60000-0x0000000009278000-memory.dmp
memory/4148-93-0x0000000007F10000-0x000000000801A000-memory.dmp
memory/4148-94-0x0000000007E00000-0x0000000007E12000-memory.dmp
memory/4148-95-0x0000000007E60000-0x0000000007E9C000-memory.dmp
memory/4148-96-0x0000000007EA0000-0x0000000007EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3AC2.tmp\3AC3.tmp\3AC4.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc1545f40e709a9447a266260fdc751e |
| SHA1 | 8afed6d761fb82c918c1d95481170a12fe94af51 |
| SHA256 | 3dadfc7e0bd965d4d61db057861a84761abf6af17b17250e32b7450c1ddc4d48 |
| SHA512 | ed0ae5280736022a9ef6c5878bf3750c2c5473cc122a4511d3fb75eb6188a2c3931c8fa1eaa01203a7748f323ed73c0d2eb4357ac230d14b65d18ac2727d020f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1222f8c867acd00b1fc43a44dacce158 |
| SHA1 | 586ba251caf62b5012a03db9ba3a70890fc5af01 |
| SHA256 | 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a |
| SHA512 | ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1222f8c867acd00b1fc43a44dacce158 |
| SHA1 | 586ba251caf62b5012a03db9ba3a70890fc5af01 |
| SHA256 | 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a |
| SHA512 | ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1222f8c867acd00b1fc43a44dacce158 |
| SHA1 | 586ba251caf62b5012a03db9ba3a70890fc5af01 |
| SHA256 | 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a |
| SHA512 | ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1222f8c867acd00b1fc43a44dacce158 |
| SHA1 | 586ba251caf62b5012a03db9ba3a70890fc5af01 |
| SHA256 | 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a |
| SHA512 | ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916 |
\??\pipe\LOCAL\crashpad_3300_SRDUWUTPXPMYBYJX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_3240_WEWUFUGVULYBKNOC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1222f8c867acd00b1fc43a44dacce158 |
| SHA1 | 586ba251caf62b5012a03db9ba3a70890fc5af01 |
| SHA256 | 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a |
| SHA512 | ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 24ed5466b3402d3684e5c7a9d0049b7e |
| SHA1 | 287fa9453580d5ea5700d4c1545f9b7a9dafff44 |
| SHA256 | 60c96c0c30d3d37a48ea7006089796f13586f4e1431f88c66dc57cbba368242f |
| SHA512 | 803c445255425c8aa97c68f6ba56f9b17e76cadc4424515c590ac24871b57d8b6a890cc191f86ec46712403fb4349ced8c5cbc87eaf93d30f5081a9d20f8e384 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c22b6462a707f4fdfa3a8a608a35879f |
| SHA1 | b7cd13c45683a0b87a97c449defcecb45aee069e |
| SHA256 | ae6413041c72fe4a43e3e171b2115c56afe56cecd33486caaf7813f03f982001 |
| SHA512 | 3408febd758886b6115709dacdf2879287ad5ca0aceb40f735df81d4620540c4b5877af864cfe929a7d965e3d8106414c0d549c9d448cf44fba46dfd63fe0b72 |
memory/3224-158-0x0000000003290000-0x00000000032A6000-memory.dmp
memory/4660-159-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4148-189-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/4148-196-0x0000000007DF0000-0x0000000007E00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 24ed5466b3402d3684e5c7a9d0049b7e |
| SHA1 | 287fa9453580d5ea5700d4c1545f9b7a9dafff44 |
| SHA256 | 60c96c0c30d3d37a48ea7006089796f13586f4e1431f88c66dc57cbba368242f |
| SHA512 | 803c445255425c8aa97c68f6ba56f9b17e76cadc4424515c590ac24871b57d8b6a890cc191f86ec46712403fb4349ced8c5cbc87eaf93d30f5081a9d20f8e384 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d30821c457e498dd42f79c22a96387ac |
| SHA1 | 0f14be9e1c3e7c8942db3f8d32596f7a25127ef4 |
| SHA256 | 11ca670147e8b0c9f8cd2ef73eacccbb89dd197db4450454b1f7691120a450c1 |
| SHA512 | ca3997a35669bae1e66f6f6bf3ad0b2d514684fe6bcfff1ff761a4ab5e2416fd1bcf0d548d9fe78b0e5cbff9dc948bceff3d21b8bcf4957a6df3c6b165ade7e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 58a0fe0d2e884aab7f352393bf94bab0 |
| SHA1 | 8b41bf5cf23b2c3341bbb297f17f5475f6a953e4 |
| SHA256 | de832dfe951081343b6f3b86f32dce1acacc2d776625071bf4dc9832a0e99448 |
| SHA512 | 408cca605b42df1684822a73ee578e558ecd6e7337183f5624351b02a5accc095afbe79538744f525aeb0cde62adf626c50335ee566a6cd966a08b996ff301ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 15ad31a14e9a92d2937174141e80c28d |
| SHA1 | b09e8d44c07123754008ba2f9ff4b8d4e332d4e5 |
| SHA256 | bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde |
| SHA512 | ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\BAA0.exe
| MD5 | 6e6ec8980dca281b098eb1bf5c3a6f99 |
| SHA1 | f74129680e21f2073f5f4c9d39b7120f72b0a208 |
| SHA256 | 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9 |
| SHA512 | 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b |
C:\Users\Admin\AppData\Local\Temp\BAA0.exe
| MD5 | 6e6ec8980dca281b098eb1bf5c3a6f99 |
| SHA1 | f74129680e21f2073f5f4c9d39b7120f72b0a208 |
| SHA256 | 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9 |
| SHA512 | 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Nw86rk.exe
| MD5 | 3d269c5ae178789d40051b9b0daf7bc2 |
| SHA1 | bf9a901740b8fbc74c514382a18edd7eed0fea1f |
| SHA256 | 964a6712b6e047938eeca6ccac88b2e2085fdd64f3562893b5a5a42667982fbd |
| SHA512 | 01e7d6fbd6f87d6c7256130d4518659fac0b4c0a9e5459ec848fea0a4a1d50c9a8dd8fb8265536b7a907f81f873aa80774fab82df8558dbaa155d1d3ca5515b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | af6e764745fbff3065e0b0ff4defd74e |
| SHA1 | 0e3a4fe84aada1f9efd441d3e0df8352708fcbc1 |
| SHA256 | aef366e18e9d0a74f3c4c45247028875e5245214f6c765e46047b05256dea4a5 |
| SHA512 | 02779c8d814d2ce335960239049445741a99bbf84a17d39b373a04cdb57b31f30f600fb4081d9acd96bbad3aa0097ba2fd07e255ed659e78305597d50ef12b11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
| MD5 | 693c6c86eb7499b1d4bb6bbc65db4c2d |
| SHA1 | 8cca414c23ea2daf31a1d94eb26fee12921c3f65 |
| SHA256 | 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165 |
| SHA512 | 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2 |
C:\Users\Admin\AppData\Local\Temp\D7CE.exe
| MD5 | 93153fed74f88b04dc6a7b755a7a9e63 |
| SHA1 | abb217c14a0663a01b08dffef53031d629f63f20 |
| SHA256 | 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79 |
| SHA512 | cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5 |
C:\Users\Admin\AppData\Local\Temp\D7CE.exe
| MD5 | 93153fed74f88b04dc6a7b755a7a9e63 |
| SHA1 | abb217c14a0663a01b08dffef53031d629f63f20 |
| SHA256 | 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79 |
| SHA512 | cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
| MD5 | 693c6c86eb7499b1d4bb6bbc65db4c2d |
| SHA1 | 8cca414c23ea2daf31a1d94eb26fee12921c3f65 |
| SHA256 | 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165 |
| SHA512 | 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 22a58a19c1292db97d93843d5545de5e |
| SHA1 | 79a90f393b392837e3eeab2fd80c00f612356f51 |
| SHA256 | b165f7d63d7cd4eecb243532d756d60f64467ac3b5b498c8931e1ea39babcce7 |
| SHA512 | a9c5e3a29f41e1d474e9b39d8b0b6531ff7bcdac44846450242c6ab8e52025b6ecf02e88e323dd71f7fb355099bb31cb154adcfccd8e95aea0d90bdd15912908 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e1c0.TMP
| MD5 | 5b28dad278ab273d9f421cdbfa331705 |
| SHA1 | fcae4233cf18b996ba7f5437f2ebdd6fd0b2b063 |
| SHA256 | 0bc3d0f67228bab3e4b20fb3487dd8fa4abb742a05b6dc76d4c51c5d80c0dff9 |
| SHA512 | c88ea3a3e993a9e6329bca349fd4f64b017a3c9b938a02d3b6cbe9a83a838e84e0a8ee53658ae61858db223d41487135ba53a4718ada55a177f8c04050c3a8be |
C:\Users\Admin\AppData\Local\Temp\E126.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe
| MD5 | eb0dd850df8c60600b6a0da57bc332c0 |
| SHA1 | 205abf9bd526db8471a67ea9655996aebfe7a14c |
| SHA256 | 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4 |
| SHA512 | 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0 |
C:\Users\Admin\AppData\Local\Temp\E126.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe
| MD5 | eb0dd850df8c60600b6a0da57bc332c0 |
| SHA1 | 205abf9bd526db8471a67ea9655996aebfe7a14c |
| SHA256 | 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4 |
| SHA512 | 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe
| MD5 | f1d32094252c66f6f22bd4c8c1acd996 |
| SHA1 | 44edc6c2dc8f92290f29074abd25ea28bdc91393 |
| SHA256 | 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c |
| SHA512 | f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe
| MD5 | f1d32094252c66f6f22bd4c8c1acd996 |
| SHA1 | 44edc6c2dc8f92290f29074abd25ea28bdc91393 |
| SHA256 | 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c |
| SHA512 | f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef |
memory/3080-320-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3080-321-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3080-324-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E3F5.exe
| MD5 | c6dcaa9b9d234fba471592f67bbed65c |
| SHA1 | ddd52620fd70c51b5f604dfdffc83c02841898c6 |
| SHA256 | b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0 |
| SHA512 | 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b |
C:\Users\Admin\AppData\Local\Temp\E3F5.exe
| MD5 | c6dcaa9b9d234fba471592f67bbed65c |
| SHA1 | ddd52620fd70c51b5f604dfdffc83c02841898c6 |
| SHA256 | b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0 |
| SHA512 | 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe
| MD5 | 337bcef68d1505c1b939d9419b5ba2fa |
| SHA1 | da7994b8e3413d1737f4487bbf2fd3d86e3298ab |
| SHA256 | 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d |
| SHA512 | bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae |
C:\Users\Admin\AppData\Local\Temp\E2CA.tmp\E2CB.tmp\E2CC.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe
| MD5 | 337bcef68d1505c1b939d9419b5ba2fa |
| SHA1 | da7994b8e3413d1737f4487bbf2fd3d86e3298ab |
| SHA256 | 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d |
| SHA512 | bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae |
C:\Users\Admin\AppData\Local\Temp\E6B6.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\E6B6.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe
| MD5 | 93153fed74f88b04dc6a7b755a7a9e63 |
| SHA1 | abb217c14a0663a01b08dffef53031d629f63f20 |
| SHA256 | 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79 |
| SHA512 | cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe
| MD5 | 93153fed74f88b04dc6a7b755a7a9e63 |
| SHA1 | abb217c14a0663a01b08dffef53031d629f63f20 |
| SHA256 | 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79 |
| SHA512 | cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5 |
memory/4736-354-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe
| MD5 | 93153fed74f88b04dc6a7b755a7a9e63 |
| SHA1 | abb217c14a0663a01b08dffef53031d629f63f20 |
| SHA256 | 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79 |
| SHA512 | cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5 |
memory/4736-359-0x00007FFC52D50000-0x00007FFC53811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA41.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\EA41.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5056-365-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5056-366-0x0000000007740000-0x0000000007750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5280-369-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5280-374-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3080-368-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/5280-376-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe
| MD5 | 4efc0d118a80d9e01765d803b8a2cf61 |
| SHA1 | 70ef64b40c65b03a1e98afb0b842959464b30cae |
| SHA256 | 42e02486e940d9b85523ad4382cf67d2924f552bc15d919f77b9a3fd1dfa4f03 |
| SHA512 | f3b84c830c954c417a454028aad4b30949b41690e451dbd7aa58c40c73f49e41e3a14666090b76894ee8bbe7647e24797b32833417bc6959fa143ada8c59f948 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe
| MD5 | 4efc0d118a80d9e01765d803b8a2cf61 |
| SHA1 | 70ef64b40c65b03a1e98afb0b842959464b30cae |
| SHA256 | 42e02486e940d9b85523ad4382cf67d2924f552bc15d919f77b9a3fd1dfa4f03 |
| SHA512 | f3b84c830c954c417a454028aad4b30949b41690e451dbd7aa58c40c73f49e41e3a14666090b76894ee8bbe7647e24797b32833417bc6959fa143ada8c59f948 |
memory/5620-384-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5620-383-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/5620-385-0x0000000007470000-0x0000000007480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1222f8c867acd00b1fc43a44dacce158 |
| SHA1 | 586ba251caf62b5012a03db9ba3a70890fc5af01 |
| SHA256 | 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a |
| SHA512 | ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916 |
memory/4736-439-0x00007FFC52D50000-0x00007FFC53811000-memory.dmp
memory/5056-443-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5056-444-0x0000000007740000-0x0000000007750000-memory.dmp
memory/5620-457-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5620-458-0x0000000007470000-0x0000000007480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e7de31207246a33901d64a4b0bf8e437 |
| SHA1 | d2ebe288139357ba6915ffd3f94e48bf838ea2f6 |
| SHA256 | 5acfb2a6c65930124af25605992a5bd1729065678801b9d8e99053c91c551f74 |
| SHA512 | fe6f0823c00a47ce74ad69c31dcb89a440a33139716a6307ae43ad69b20df9784e5c1e3f6cfef2e1c8a291d9c01cc125df893de845712cea17cb620932e2d665 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4d8e319146e5976b8be071f4e37bb768 |
| SHA1 | 1a95c8a3c6d32e350b45623ea219e14d5f40e340 |
| SHA256 | cd7abba991fe9efd8fd70a103d83bea4b74e246a7bb0a53c19a3594c27055925 |
| SHA512 | 40f7ac59f18736fef1a60578ca2b7859217cd2c005f602f392e82464e2854665707d25ea025f9f9812ec23ee8eb979af0fcc697254dd282545a430e6ab458e55 |
memory/4736-492-0x00007FFC52D50000-0x00007FFC53811000-memory.dmp
memory/5904-508-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5904-509-0x0000000000840000-0x000000000176A000-memory.dmp
memory/5904-515-0x0000000074550000-0x0000000074D00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | efcbfc1bf9f11c3d07cae78a4df5e8d3 |
| SHA1 | 9db30cd135d46097affab4b47a50f51b4186c32e |
| SHA256 | 8229d7603ae3dda6abd51231b6c4589c3977a6901ad398c8bcbbec141213bef5 |
| SHA512 | 2697bf737321c186f1fdeabed6720bc72ccd3fe8230399ea74f15e4286cc929146c7b15d2a43ac56c15f08b5d65f8d7877fb9dae6456a1506a5c01108dd8acc6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f82cfe41f02f48ac5ca5db372cf4ba73 |
| SHA1 | a0788d95f505a4ad8221c6f28cb1d4da6fe8faad |
| SHA256 | 6be2bfe381ccd10f666ebf719182fe5faa3de01b58cbf6c98bb1f4106cbfe1b0 |
| SHA512 | b5e4806341439d58fa14a794df51cd92865f9ab79468a9be57c5f43df8322c8ae9f2e36eb227446f42837d0047bffe0e5af2729151b64e31fbd810015268cb73 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b44f3ea702caf5fba20474d4678e67f6 |
| SHA1 | d33da22fcd5674123807aaf01123d49a69901e33 |
| SHA256 | 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8 |
| SHA512 | ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3 |
memory/1952-563-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa6f521d78f6e9101a1a99f8bfdfbf08 |
| SHA1 | 81abd59d8275c1a1d35933f76282b411310323be |
| SHA256 | 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d |
| SHA512 | 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153 |
memory/1952-573-0x0000000000700000-0x000000000075A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\source1.exe
| MD5 | e082a92a00272a3c1cd4b0de30967a79 |
| SHA1 | 16c391acf0f8c637d36a93e217591d8319e3f041 |
| SHA256 | eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc |
| SHA512 | 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288 |
memory/1952-584-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/4416-586-0x0000000000400000-0x0000000000431000-memory.dmp
memory/5504-588-0x0000000000EE0000-0x00000000013F6000-memory.dmp
memory/4416-585-0x00000000001C0000-0x00000000001DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/5504-597-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/3936-595-0x0000000000B00000-0x0000000000B1E000-memory.dmp
memory/5504-600-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/3936-599-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/4416-602-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5904-603-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5504-604-0x0000000005F50000-0x0000000005FEC000-memory.dmp
memory/5504-605-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
memory/3936-606-0x0000000005440000-0x0000000005450000-memory.dmp
memory/2896-614-0x0000000002440000-0x0000000002540000-memory.dmp
memory/384-616-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2896-615-0x00000000023F0000-0x00000000023F9000-memory.dmp
memory/1952-617-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1952-618-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/384-619-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5504-621-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/3936-622-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/5504-624-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/3640-623-0x00000000041B0000-0x00000000045AD000-memory.dmp
memory/3640-625-0x00000000046B0000-0x0000000004F9B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 99e5093ced861f7ce640640c7c771c97 |
| SHA1 | dfcb73fbf17959defc55661d3124427b201d1724 |
| SHA256 | be6254c082b9d63657e232b82a01ae126d7880bca77d836c1b0e3d120fd68ac9 |
| SHA512 | 88dfb262af75da7ac155fee62995eef61d9002f2e5ffa2444829873f9b138667bea1bc49220fd2383f2732ff293eb97cc06ef1f8c03fbe3b8f8a6cd83cdcb36e |
memory/384-662-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3224-661-0x0000000003270000-0x0000000003286000-memory.dmp