Malware Analysis Report

2025-01-23 11:29

Sample ID 231010-1l7b9sfd34
Target file
SHA256 3c53812acc6c7331c2bd86c8f29e3500b040c945ebdbcaec4e8b0fb63e9b6aa3
Tags
evasion persistence trojan amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor dropper infostealer loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c53812acc6c7331c2bd86c8f29e3500b040c945ebdbcaec4e8b0fb63e9b6aa3

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor dropper infostealer loader rat

Amadey

Detects Healer an antivirus disabler dropper

SectopRAT

SmokeLoader

SectopRAT payload

RedLine

Glupteba payload

Glupteba

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

DcRat

Downloads MZ/PE file

Windows security modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 21:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 21:45

Reported

2023-10-10 21:48

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2544 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 2056 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 3052 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2660 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3028 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 268

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

MD5 329da0069bb2125b78e45b5248d186ed
SHA1 c2fd67c3c0d5dd1904827cbed13c674d86952d5f
SHA256 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159
SHA512 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

MD5 329da0069bb2125b78e45b5248d186ed
SHA1 c2fd67c3c0d5dd1904827cbed13c674d86952d5f
SHA256 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159
SHA512 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

MD5 329da0069bb2125b78e45b5248d186ed
SHA1 c2fd67c3c0d5dd1904827cbed13c674d86952d5f
SHA256 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159
SHA512 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

MD5 329da0069bb2125b78e45b5248d186ed
SHA1 c2fd67c3c0d5dd1904827cbed13c674d86952d5f
SHA256 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159
SHA512 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

MD5 1c28ec10c263eab4b6413b280d108d46
SHA1 bb5d7812bbb014f58057d0dfbb9e596db44f6cc7
SHA256 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be
SHA512 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

MD5 1c28ec10c263eab4b6413b280d108d46
SHA1 bb5d7812bbb014f58057d0dfbb9e596db44f6cc7
SHA256 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be
SHA512 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

MD5 1c28ec10c263eab4b6413b280d108d46
SHA1 bb5d7812bbb014f58057d0dfbb9e596db44f6cc7
SHA256 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be
SHA512 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

MD5 1c28ec10c263eab4b6413b280d108d46
SHA1 bb5d7812bbb014f58057d0dfbb9e596db44f6cc7
SHA256 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be
SHA512 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670

\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

MD5 7dbda2a911a3c08bc3ac4539e4096cf6
SHA1 033907f8b2bf668cf2ab1de228e14ab2d490041a
SHA256 aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5
SHA512 e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

MD5 7dbda2a911a3c08bc3ac4539e4096cf6
SHA1 033907f8b2bf668cf2ab1de228e14ab2d490041a
SHA256 aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5
SHA512 e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329

\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

MD5 7dbda2a911a3c08bc3ac4539e4096cf6
SHA1 033907f8b2bf668cf2ab1de228e14ab2d490041a
SHA256 aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5
SHA512 e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

MD5 7dbda2a911a3c08bc3ac4539e4096cf6
SHA1 033907f8b2bf668cf2ab1de228e14ab2d490041a
SHA256 aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5
SHA512 e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2784-40-0x00000000003E0000-0x00000000003FE000-memory.dmp

memory/2784-41-0x0000000001F10000-0x0000000001F2C000-memory.dmp

memory/2784-42-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-43-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-45-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-47-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-53-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-59-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-67-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-69-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-65-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-63-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-61-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-57-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-55-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-51-0x0000000001F10000-0x0000000001F26000-memory.dmp

memory/2784-49-0x0000000001F10000-0x0000000001F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

memory/3028-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3028-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-87-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 21:45

Reported

2023-10-10 21:48

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E126.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EA41.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BAA0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D7CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E126.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E3F5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\338F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9808.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\BAA0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E6B6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 3536 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 3536 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe
PID 4792 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 4792 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 4792 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe
PID 544 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 544 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 544 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe
PID 3884 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 3884 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 3884 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe
PID 3884 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 3884 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 3884 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe
PID 3772 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 544 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
PID 544 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
PID 544 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe
PID 5068 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5068 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5068 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5068 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5068 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5068 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4792 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
PID 4792 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
PID 4792 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
PID 3536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
PID 3536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe
PID 2320 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe C:\Windows\system32\cmd.exe
PID 428 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 428 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3300 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3300 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 428 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 428 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3240 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3240 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3300 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3300 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3300 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3772 -ip 3772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3AC2.tmp\3AC3.tmp\3AC4.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1937460803996180796,11078827719081635513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1937460803996180796,11078827719081635513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\BAA0.exe

C:\Users\Admin\AppData\Local\Temp\BAA0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

C:\Users\Admin\AppData\Local\Temp\D7CE.exe

C:\Users\Admin\AppData\Local\Temp\D7CE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe

C:\Users\Admin\AppData\Local\Temp\E126.bat

"C:\Users\Admin\AppData\Local\Temp\E126.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 220 -ip 220

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E2CA.tmp\E2CB.tmp\E2CC.bat C:\Users\Admin\AppData\Local\Temp\E126.bat"

C:\Users\Admin\AppData\Local\Temp\E3F5.exe

C:\Users\Admin\AppData\Local\Temp\E3F5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 408

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe

C:\Users\Admin\AppData\Local\Temp\E6B6.exe

C:\Users\Admin\AppData\Local\Temp\E6B6.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4356 -ip 4356

C:\Users\Admin\AppData\Local\Temp\EA41.exe

C:\Users\Admin\AppData\Local\Temp\EA41.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3100 -ip 3100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5280 -ip 5280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc562d46f8,0x7ffc562d4708,0x7ffc562d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1455404117922858339,6800752853783280333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\338F.exe

C:\Users\Admin\AppData\Local\Temp\338F.exe

C:\Users\Admin\AppData\Local\Temp\9306.exe

C:\Users\Admin\AppData\Local\Temp\9306.exe

C:\Users\Admin\AppData\Local\Temp\9808.exe

C:\Users\Admin\AppData\Local\Temp\9808.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\9C8D.exe

C:\Users\Admin\AppData\Local\Temp\9C8D.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1952 -ip 1952

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 804

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

MD5 329da0069bb2125b78e45b5248d186ed
SHA1 c2fd67c3c0d5dd1904827cbed13c674d86952d5f
SHA256 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159
SHA512 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CB4DQ66.exe

MD5 329da0069bb2125b78e45b5248d186ed
SHA1 c2fd67c3c0d5dd1904827cbed13c674d86952d5f
SHA256 1356cdbb022ed71041a0b779f53eee900f40771bffdadfb0493891af537d1159
SHA512 36062bc46d78240e5c2b39fc9b3a389c5dc97f76c834e90bae64b73c09a9db6318e1e8b2ff223dcf0d8814e13267c4bf1b44178668ad5cf132892ed3484c4fdf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

MD5 1c28ec10c263eab4b6413b280d108d46
SHA1 bb5d7812bbb014f58057d0dfbb9e596db44f6cc7
SHA256 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be
SHA512 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds1MV99.exe

MD5 1c28ec10c263eab4b6413b280d108d46
SHA1 bb5d7812bbb014f58057d0dfbb9e596db44f6cc7
SHA256 5c101224df6e71cda990eb4ab5427034bcd4f7451cb86aa77b05c170ea83f9be
SHA512 5b86e70ca49bfa68463003e758284bab973c65be7b849190d766f5bbd879ed237bc6516575d717d10966696323282e34ed0ecd829cfab86543b3951ff2479670

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

MD5 7dbda2a911a3c08bc3ac4539e4096cf6
SHA1 033907f8b2bf668cf2ab1de228e14ab2d490041a
SHA256 aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5
SHA512 e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\op2bt28.exe

MD5 7dbda2a911a3c08bc3ac4539e4096cf6
SHA1 033907f8b2bf668cf2ab1de228e14ab2d490041a
SHA256 aacb49d435e7f0c6b2f7affe3a670bdc5c3917ce25e8f68d4b561877a85b8da5
SHA512 e8c7b9d0447794d200ec68adca5612dabc4c9ac6e4f7f1a0727011da499ee8a53f03a1a27e577a45cb726903d89bba21110e474e38b3da24cfee5433eb6a1329

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ44zT3.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/1344-29-0x0000000074960000-0x0000000075110000-memory.dmp

memory/1344-28-0x00000000021C0000-0x00000000021DE000-memory.dmp

memory/1344-30-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/1344-31-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/1344-32-0x0000000004A50000-0x0000000004FF4000-memory.dmp

memory/1344-33-0x0000000004990000-0x00000000049AC000-memory.dmp

memory/1344-34-0x0000000074960000-0x0000000075110000-memory.dmp

memory/1344-35-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/1344-36-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/1344-37-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-38-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-40-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-42-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-44-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-46-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-48-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-50-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-52-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-54-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-56-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-58-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-62-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-60-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-64-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1344-66-0x0000000074960000-0x0000000075110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wC4075.exe

MD5 eb224ab4447fd162331de829a25cd323
SHA1 bc548105ff28c7df16c2bad188e84347ac545fac
SHA256 2297046a8c31790163a45d192afd48fc77260888829587fec5b72fe52cf489f0
SHA512 212ca1b198b858f9ef012cf691ea579657711601e5e26aa673650d40248b4576c7cab718a02f58ca2ee7000e2cc479fcbbe37f06358f33066205838e19df913c

memory/2292-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2292-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2292-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2292-74-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe

MD5 d10f16c23811c0b3a027f827e821d67f
SHA1 306ef00dc0683f682be9b0c92299c1f08541823b
SHA256 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733
SHA512 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oe55Bm.exe

MD5 d10f16c23811c0b3a027f827e821d67f
SHA1 306ef00dc0683f682be9b0c92299c1f08541823b
SHA256 8057ab2256e571563df0e6a6573f767b7b56a20252cc9fe02ede746944cd1733
SHA512 6bc471819559fe00cc902c1fa00a0e7ca934ebf3e2b907d9e7ec170fd6d14e082351282649c100ab3583949568c2c7f98d05920410f36a51c90664c140148e2d

memory/4660-78-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4660-79-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe

MD5 c92d8cd32f721c00c64249e4dcf22445
SHA1 cac151798204da5dd18f33ed8f9ea456fe80e138
SHA256 68f65207fc721f60d56ccabf09b792728ae0624b9aebe579de8264001d23f6a7
SHA512 cb464382a477eaaf44e920835e4806dd9211a425c1067c30f1ceca39ca65327a4b18f8a6148abb60026727031d05a9ad44a8b52f12547f4ec2c4648682eabddd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc612tn.exe

MD5 c92d8cd32f721c00c64249e4dcf22445
SHA1 cac151798204da5dd18f33ed8f9ea456fe80e138
SHA256 68f65207fc721f60d56ccabf09b792728ae0624b9aebe579de8264001d23f6a7
SHA512 cb464382a477eaaf44e920835e4806dd9211a425c1067c30f1ceca39ca65327a4b18f8a6148abb60026727031d05a9ad44a8b52f12547f4ec2c4648682eabddd

memory/4148-83-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4148-84-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4148-85-0x0000000007B80000-0x0000000007C12000-memory.dmp

memory/4148-86-0x0000000007DF0000-0x0000000007E00000-memory.dmp

memory/4148-87-0x0000000007C20000-0x0000000007C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe

MD5 fbfb7c87403163c4e9bba4dd3e7a23e2
SHA1 133c3a05314c9517135291d248faa98cd01a906d
SHA256 d1a18fad8c23f0f746eef147abade6e8b787f53cbc403f5a9874e97d84f767dc
SHA512 9f6dba5976062ad4be3bee1f71accb3a266d812b3109dd1c73a552054d78d4be23fedfbf4b13a2941046d10b65712d500116eb310046dd04f6bf7552018bc3d8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5de6Gr9.exe

MD5 fbfb7c87403163c4e9bba4dd3e7a23e2
SHA1 133c3a05314c9517135291d248faa98cd01a906d
SHA256 d1a18fad8c23f0f746eef147abade6e8b787f53cbc403f5a9874e97d84f767dc
SHA512 9f6dba5976062ad4be3bee1f71accb3a266d812b3109dd1c73a552054d78d4be23fedfbf4b13a2941046d10b65712d500116eb310046dd04f6bf7552018bc3d8

memory/4148-92-0x0000000008C60000-0x0000000009278000-memory.dmp

memory/4148-93-0x0000000007F10000-0x000000000801A000-memory.dmp

memory/4148-94-0x0000000007E00000-0x0000000007E12000-memory.dmp

memory/4148-95-0x0000000007E60000-0x0000000007E9C000-memory.dmp

memory/4148-96-0x0000000007EA0000-0x0000000007EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3AC2.tmp\3AC3.tmp\3AC4.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc1545f40e709a9447a266260fdc751e
SHA1 8afed6d761fb82c918c1d95481170a12fe94af51
SHA256 3dadfc7e0bd965d4d61db057861a84761abf6af17b17250e32b7450c1ddc4d48
SHA512 ed0ae5280736022a9ef6c5878bf3750c2c5473cc122a4511d3fb75eb6188a2c3931c8fa1eaa01203a7748f323ed73c0d2eb4357ac230d14b65d18ac2727d020f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

\??\pipe\LOCAL\crashpad_3300_SRDUWUTPXPMYBYJX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_3240_WEWUFUGVULYBKNOC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 24ed5466b3402d3684e5c7a9d0049b7e
SHA1 287fa9453580d5ea5700d4c1545f9b7a9dafff44
SHA256 60c96c0c30d3d37a48ea7006089796f13586f4e1431f88c66dc57cbba368242f
SHA512 803c445255425c8aa97c68f6ba56f9b17e76cadc4424515c590ac24871b57d8b6a890cc191f86ec46712403fb4349ced8c5cbc87eaf93d30f5081a9d20f8e384

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c22b6462a707f4fdfa3a8a608a35879f
SHA1 b7cd13c45683a0b87a97c449defcecb45aee069e
SHA256 ae6413041c72fe4a43e3e171b2115c56afe56cecd33486caaf7813f03f982001
SHA512 3408febd758886b6115709dacdf2879287ad5ca0aceb40f735df81d4620540c4b5877af864cfe929a7d965e3d8106414c0d549c9d448cf44fba46dfd63fe0b72

memory/3224-158-0x0000000003290000-0x00000000032A6000-memory.dmp

memory/4660-159-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4148-189-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4148-196-0x0000000007DF0000-0x0000000007E00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 24ed5466b3402d3684e5c7a9d0049b7e
SHA1 287fa9453580d5ea5700d4c1545f9b7a9dafff44
SHA256 60c96c0c30d3d37a48ea7006089796f13586f4e1431f88c66dc57cbba368242f
SHA512 803c445255425c8aa97c68f6ba56f9b17e76cadc4424515c590ac24871b57d8b6a890cc191f86ec46712403fb4349ced8c5cbc87eaf93d30f5081a9d20f8e384

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d30821c457e498dd42f79c22a96387ac
SHA1 0f14be9e1c3e7c8942db3f8d32596f7a25127ef4
SHA256 11ca670147e8b0c9f8cd2ef73eacccbb89dd197db4450454b1f7691120a450c1
SHA512 ca3997a35669bae1e66f6f6bf3ad0b2d514684fe6bcfff1ff761a4ab5e2416fd1bcf0d548d9fe78b0e5cbff9dc948bceff3d21b8bcf4957a6df3c6b165ade7e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 58a0fe0d2e884aab7f352393bf94bab0
SHA1 8b41bf5cf23b2c3341bbb297f17f5475f6a953e4
SHA256 de832dfe951081343b6f3b86f32dce1acacc2d776625071bf4dc9832a0e99448
SHA512 408cca605b42df1684822a73ee578e558ecd6e7337183f5624351b02a5accc095afbe79538744f525aeb0cde62adf626c50335ee566a6cd966a08b996ff301ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 15ad31a14e9a92d2937174141e80c28d
SHA1 b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256 bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512 ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\BAA0.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

C:\Users\Admin\AppData\Local\Temp\BAA0.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Nw86rk.exe

MD5 3d269c5ae178789d40051b9b0daf7bc2
SHA1 bf9a901740b8fbc74c514382a18edd7eed0fea1f
SHA256 964a6712b6e047938eeca6ccac88b2e2085fdd64f3562893b5a5a42667982fbd
SHA512 01e7d6fbd6f87d6c7256130d4518659fac0b4c0a9e5459ec848fea0a4a1d50c9a8dd8fb8265536b7a907f81f873aa80774fab82df8558dbaa155d1d3ca5515b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 af6e764745fbff3065e0b0ff4defd74e
SHA1 0e3a4fe84aada1f9efd441d3e0df8352708fcbc1
SHA256 aef366e18e9d0a74f3c4c45247028875e5245214f6c765e46047b05256dea4a5
SHA512 02779c8d814d2ce335960239049445741a99bbf84a17d39b373a04cdb57b31f30f600fb4081d9acd96bbad3aa0097ba2fd07e255ed659e78305597d50ef12b11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

C:\Users\Admin\AppData\Local\Temp\D7CE.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\D7CE.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 22a58a19c1292db97d93843d5545de5e
SHA1 79a90f393b392837e3eeab2fd80c00f612356f51
SHA256 b165f7d63d7cd4eecb243532d756d60f64467ac3b5b498c8931e1ea39babcce7
SHA512 a9c5e3a29f41e1d474e9b39d8b0b6531ff7bcdac44846450242c6ab8e52025b6ecf02e88e323dd71f7fb355099bb31cb154adcfccd8e95aea0d90bdd15912908

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e1c0.TMP

MD5 5b28dad278ab273d9f421cdbfa331705
SHA1 fcae4233cf18b996ba7f5437f2ebdd6fd0b2b063
SHA256 0bc3d0f67228bab3e4b20fb3487dd8fa4abb742a05b6dc76d4c51c5d80c0dff9
SHA512 c88ea3a3e993a9e6329bca349fd4f64b017a3c9b938a02d3b6cbe9a83a838e84e0a8ee53658ae61858db223d41487135ba53a4718ada55a177f8c04050c3a8be

C:\Users\Admin\AppData\Local\Temp\E126.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

C:\Users\Admin\AppData\Local\Temp\E126.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

memory/3080-320-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-324-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E3F5.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Temp\E3F5.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\E2CA.tmp\E2CB.tmp\E2CC.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\E6B6.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\E6B6.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

memory/4736-354-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

memory/4736-359-0x00007FFC52D50000-0x00007FFC53811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5056-365-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5056-366-0x0000000007740000-0x0000000007750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5280-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5280-374-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-368-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5280-376-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe

MD5 4efc0d118a80d9e01765d803b8a2cf61
SHA1 70ef64b40c65b03a1e98afb0b842959464b30cae
SHA256 42e02486e940d9b85523ad4382cf67d2924f552bc15d919f77b9a3fd1dfa4f03
SHA512 f3b84c830c954c417a454028aad4b30949b41690e451dbd7aa58c40c73f49e41e3a14666090b76894ee8bbe7647e24797b32833417bc6959fa143ada8c59f948

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZD054Xl.exe

MD5 4efc0d118a80d9e01765d803b8a2cf61
SHA1 70ef64b40c65b03a1e98afb0b842959464b30cae
SHA256 42e02486e940d9b85523ad4382cf67d2924f552bc15d919f77b9a3fd1dfa4f03
SHA512 f3b84c830c954c417a454028aad4b30949b41690e451dbd7aa58c40c73f49e41e3a14666090b76894ee8bbe7647e24797b32833417bc6959fa143ada8c59f948

memory/5620-384-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5620-383-0x0000000000570000-0x00000000005AE000-memory.dmp

memory/5620-385-0x0000000007470000-0x0000000007480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4736-439-0x00007FFC52D50000-0x00007FFC53811000-memory.dmp

memory/5056-443-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5056-444-0x0000000007740000-0x0000000007750000-memory.dmp

memory/5620-457-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5620-458-0x0000000007470000-0x0000000007480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e7de31207246a33901d64a4b0bf8e437
SHA1 d2ebe288139357ba6915ffd3f94e48bf838ea2f6
SHA256 5acfb2a6c65930124af25605992a5bd1729065678801b9d8e99053c91c551f74
SHA512 fe6f0823c00a47ce74ad69c31dcb89a440a33139716a6307ae43ad69b20df9784e5c1e3f6cfef2e1c8a291d9c01cc125df893de845712cea17cb620932e2d665

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4d8e319146e5976b8be071f4e37bb768
SHA1 1a95c8a3c6d32e350b45623ea219e14d5f40e340
SHA256 cd7abba991fe9efd8fd70a103d83bea4b74e246a7bb0a53c19a3594c27055925
SHA512 40f7ac59f18736fef1a60578ca2b7859217cd2c005f602f392e82464e2854665707d25ea025f9f9812ec23ee8eb979af0fcc697254dd282545a430e6ab458e55

memory/4736-492-0x00007FFC52D50000-0x00007FFC53811000-memory.dmp

memory/5904-508-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5904-509-0x0000000000840000-0x000000000176A000-memory.dmp

memory/5904-515-0x0000000074550000-0x0000000074D00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 efcbfc1bf9f11c3d07cae78a4df5e8d3
SHA1 9db30cd135d46097affab4b47a50f51b4186c32e
SHA256 8229d7603ae3dda6abd51231b6c4589c3977a6901ad398c8bcbbec141213bef5
SHA512 2697bf737321c186f1fdeabed6720bc72ccd3fe8230399ea74f15e4286cc929146c7b15d2a43ac56c15f08b5d65f8d7877fb9dae6456a1506a5c01108dd8acc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f82cfe41f02f48ac5ca5db372cf4ba73
SHA1 a0788d95f505a4ad8221c6f28cb1d4da6fe8faad
SHA256 6be2bfe381ccd10f666ebf719182fe5faa3de01b58cbf6c98bb1f4106cbfe1b0
SHA512 b5e4806341439d58fa14a794df51cd92865f9ab79468a9be57c5f43df8322c8ae9f2e36eb227446f42837d0047bffe0e5af2729151b64e31fbd810015268cb73

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1952-563-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1952-573-0x0000000000700000-0x000000000075A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1952-584-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4416-586-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5504-588-0x0000000000EE0000-0x00000000013F6000-memory.dmp

memory/4416-585-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5504-597-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/3936-595-0x0000000000B00000-0x0000000000B1E000-memory.dmp

memory/5504-600-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/3936-599-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4416-602-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5904-603-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5504-604-0x0000000005F50000-0x0000000005FEC000-memory.dmp

memory/5504-605-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

memory/3936-606-0x0000000005440000-0x0000000005450000-memory.dmp

memory/2896-614-0x0000000002440000-0x0000000002540000-memory.dmp

memory/384-616-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2896-615-0x00000000023F0000-0x00000000023F9000-memory.dmp

memory/1952-617-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1952-618-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/384-619-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5504-621-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/3936-622-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/5504-624-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/3640-623-0x00000000041B0000-0x00000000045AD000-memory.dmp

memory/3640-625-0x00000000046B0000-0x0000000004F9B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 99e5093ced861f7ce640640c7c771c97
SHA1 dfcb73fbf17959defc55661d3124427b201d1724
SHA256 be6254c082b9d63657e232b82a01ae126d7880bca77d836c1b0e3d120fd68ac9
SHA512 88dfb262af75da7ac155fee62995eef61d9002f2e5ffa2444829873f9b138667bea1bc49220fd2383f2732ff293eb97cc06ef1f8c03fbe3b8f8a6cd83cdcb36e

memory/384-662-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3224-661-0x0000000003270000-0x0000000003286000-memory.dmp