Malware Analysis Report

2025-01-23 11:33

Sample ID 231010-27dshsah87
Target file.exe
SHA256 c4ff82eef890fe1422a1fa970b0e55acbebd40fcc936da211cac4fbc7191f56a
Tags
evasion persistence trojan amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor dropper infostealer loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4ff82eef890fe1422a1fa970b0e55acbebd40fcc936da211cac4fbc7191f56a

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor dropper infostealer loader rat

Amadey

Healer

DcRat

SmokeLoader

Glupteba

Detects Healer an antivirus disabler dropper

Glupteba payload

Modifies Windows Defender Real-time Protection settings

RedLine

SectopRAT

RedLine payload

SectopRAT payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 23:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 23:13

Reported

2023-10-10 23:15

Platform

win7-20230831-en

Max time kernel

118s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1072 set thread context of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 2644 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 284

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

MD5 fac4493cca3a84ccca13bf71266940c6
SHA1 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d
SHA256 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7
SHA512 c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

MD5 fac4493cca3a84ccca13bf71266940c6
SHA1 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d
SHA256 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7
SHA512 c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

MD5 fac4493cca3a84ccca13bf71266940c6
SHA1 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d
SHA256 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7
SHA512 c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac

\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

MD5 fac4493cca3a84ccca13bf71266940c6
SHA1 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d
SHA256 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7
SHA512 c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac

\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

MD5 f8e69c9f9cdb5ecf7e184a52bd8d1ac3
SHA1 cc90ce93768c3820ddc0a9fd4159b0ce361c703a
SHA256 c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35
SHA512 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

MD5 f8e69c9f9cdb5ecf7e184a52bd8d1ac3
SHA1 cc90ce93768c3820ddc0a9fd4159b0ce361c703a
SHA256 c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35
SHA512 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

MD5 f8e69c9f9cdb5ecf7e184a52bd8d1ac3
SHA1 cc90ce93768c3820ddc0a9fd4159b0ce361c703a
SHA256 c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35
SHA512 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

MD5 f8e69c9f9cdb5ecf7e184a52bd8d1ac3
SHA1 cc90ce93768c3820ddc0a9fd4159b0ce361c703a
SHA256 c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35
SHA512 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

MD5 ec2f1db1ea37f3d8e4cbdf006f9eb4a8
SHA1 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c
SHA256 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad
SHA512 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

MD5 ec2f1db1ea37f3d8e4cbdf006f9eb4a8
SHA1 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c
SHA256 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad
SHA512 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

MD5 ec2f1db1ea37f3d8e4cbdf006f9eb4a8
SHA1 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c
SHA256 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad
SHA512 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de

\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

MD5 ec2f1db1ea37f3d8e4cbdf006f9eb4a8
SHA1 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c
SHA256 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad
SHA512 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2788-40-0x00000000020B0000-0x00000000020CE000-memory.dmp

memory/2788-41-0x0000000002130000-0x000000000214C000-memory.dmp

memory/2788-42-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-43-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-45-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-47-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-49-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-51-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-53-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-55-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-57-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-59-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-61-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-63-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-65-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-69-0x0000000002130000-0x0000000002146000-memory.dmp

memory/2788-67-0x0000000002130000-0x0000000002146000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

memory/2720-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-86-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-88-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2720-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-91-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-93-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-94-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

memory/2720-99-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 23:13

Reported

2023-10-10 23:16

Platform

win10v2004-20230915-en

Max time kernel

132s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FB26.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4BE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1FE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 4480 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 4480 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe
PID 1700 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 1700 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 1700 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe
PID 4980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 4980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 4980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe
PID 3476 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 3476 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 3476 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe
PID 3476 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 3476 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 3476 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe
PID 920 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 920 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4980 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
PID 4980 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
PID 4980 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe
PID 3132 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
PID 1700 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
PID 1700 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4480 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
PID 4480 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
PID 4480 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe
PID 3832 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe C:\Windows\system32\cmd.exe
PID 3832 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe C:\Windows\system32\cmd.exe
PID 4008 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4008 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4008 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4008 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 3828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 3828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 200

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3132 -ip 3132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1644 -ip 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8141.tmp\8142.tmp\8143.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x144,0x178,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17899034150035375710,16723733400759851049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17899034150035375710,16723733400759851049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\F623.exe

C:\Users\Admin\AppData\Local\Temp\F623.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\FA1B.exe

C:\Users\Admin\AppData\Local\Temp\FA1B.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\FB26.bat

"C:\Users\Admin\AppData\Local\Temp\FB26.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 388

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC4D.tmp\FC4E.tmp\FC4F.bat C:\Users\Admin\AppData\Local\Temp\FB26.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1156 -ip 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1068 -ip 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\FE53.exe

C:\Users\Admin\AppData\Local\Temp\FE53.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffa99ae46f8,0x7ffa99ae4708,0x7ffa99ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1FE.exe

C:\Users\Admin\AppData\Local\Temp\1FE.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2030013216020824263,12577724750966350802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5340 -ip 5340

C:\Users\Admin\AppData\Local\Temp\4BE.exe

C:\Users\Admin\AppData\Local\Temp\4BE.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 408

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\3F86.exe

C:\Users\Admin\AppData\Local\Temp\3F86.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\B265.exe

C:\Users\Admin\AppData\Local\Temp\B265.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\B583.exe

C:\Users\Admin\AppData\Local\Temp\B583.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\BA56.exe

C:\Users\Admin\AppData\Local\Temp\BA56.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5460 -ip 5460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 792

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.124.55:19071 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 9.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

MD5 fac4493cca3a84ccca13bf71266940c6
SHA1 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d
SHA256 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7
SHA512 c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uf4kL78.exe

MD5 fac4493cca3a84ccca13bf71266940c6
SHA1 5b9fc49ab7be5fd5224a0ac098dcad46fb023d1d
SHA256 0822847c499cdf1e711b3b7c1687c6a01d4bfb374ed433078e9700369264ddc7
SHA512 c53f2c3bc02ab4a108420d28a1a2f8a61e1e2c9de3ac680cd14cdeff17c8106772b38bc5ff6553aae7aa7f9e56f011dcd959079662de74ae5b4028898a1239ac

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

MD5 f8e69c9f9cdb5ecf7e184a52bd8d1ac3
SHA1 cc90ce93768c3820ddc0a9fd4159b0ce361c703a
SHA256 c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35
SHA512 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kh7Ke07.exe

MD5 f8e69c9f9cdb5ecf7e184a52bd8d1ac3
SHA1 cc90ce93768c3820ddc0a9fd4159b0ce361c703a
SHA256 c152cba55b199b68e3d10ce6a44d5f94aa3cb635bacfb7f3d2e06e2e8e92fd35
SHA512 22ac9e4c3865d80dea8ded0c5e9df70515736d12a8d2aaf724bae1fe2a1ba364ada78faeed09514a154283507de508687822f66460f6e5b17099ce05b18e6ca2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

MD5 ec2f1db1ea37f3d8e4cbdf006f9eb4a8
SHA1 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c
SHA256 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad
SHA512 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK1Tw73.exe

MD5 ec2f1db1ea37f3d8e4cbdf006f9eb4a8
SHA1 8fdf6461008a2ec0925926ecf6a2b6a05f1c6f6c
SHA256 7c965feb98ea070b49ea18546d9a7816a1017f4677cbca66c22233e4b5e37aad
SHA512 737fd59da2c3fba789b121a51169cb7a620b7081ce236ac4cd1b608524868493e48887720eb83446a629bba41116e1096e8fd2f3235b2634cc849c5df33187de

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NV06ug8.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/4848-28-0x0000000004A10000-0x0000000004A2E000-memory.dmp

memory/4848-29-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4848-30-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4848-31-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4848-32-0x0000000004A80000-0x0000000005024000-memory.dmp

memory/4848-33-0x0000000005090000-0x00000000050AC000-memory.dmp

memory/4848-35-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-34-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-37-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-39-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-41-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-43-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-45-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-47-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-49-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-51-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-53-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-55-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-57-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-59-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-61-0x0000000005090000-0x00000000050A6000-memory.dmp

memory/4848-62-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4848-63-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4848-64-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/4848-66-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ox6316.exe

MD5 371dc8c2029b9ce122c78657683e630f
SHA1 9ed66f17a1f57acce46bc691696f4029969307bd
SHA256 9f2db7598de5e915e50236c9702d3da40782bf06babcc1e023a4998e8ecc48eb
SHA512 15246935816eb92c5444e76295ba7086d8b7c1803f6c8aca2a65cca94c9a0b681cc7bee32965b57f3b0f1ef4d48b11895d96bb83b1c72d51f45b4f94f05bd9c2

memory/4200-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4200-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4200-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4200-74-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe

MD5 12460906a7c3f7a8746a4fc8093cc317
SHA1 6a4707caa81c1f4d013dfccc841b80e36b6a0456
SHA256 64e4a89f517ea9eb63afd5fff5606789f40c3f92b785fe6badc952088562d6aa
SHA512 ea0b3b5ac072eddba97680dbc13a63f2380e5a534e97a3417182f2ba347558396d8447126c325d418a81e0dec7376daf58f03f2b740cb543aece21884cd54324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Sa58fp.exe

MD5 12460906a7c3f7a8746a4fc8093cc317
SHA1 6a4707caa81c1f4d013dfccc841b80e36b6a0456
SHA256 64e4a89f517ea9eb63afd5fff5606789f40c3f92b785fe6badc952088562d6aa
SHA512 ea0b3b5ac072eddba97680dbc13a63f2380e5a534e97a3417182f2ba347558396d8447126c325d418a81e0dec7376daf58f03f2b740cb543aece21884cd54324

memory/2580-78-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2580-79-0x0000000000400000-0x0000000000409000-memory.dmp

memory/764-80-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/2580-81-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe

MD5 2b263a74414c8f43334f2892fa32d483
SHA1 f15321e32d5ed26a02ef940ef57fb917865630eb
SHA256 3306f2704bb1870c669656380ad353de5e4e2a7971e411ee8f4ef78819aa499a
SHA512 51ff275a8053ba631032f6f9c1a987224154d5ce2df8950b1c072a4f2cbd2be60b058833935d9eb5a6073537ddd9d28f2d6f26ada52ee2305b9e7f9ddde2f989

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pV420ZW.exe

MD5 2b263a74414c8f43334f2892fa32d483
SHA1 f15321e32d5ed26a02ef940ef57fb917865630eb
SHA256 3306f2704bb1870c669656380ad353de5e4e2a7971e411ee8f4ef78819aa499a
SHA512 51ff275a8053ba631032f6f9c1a987224154d5ce2df8950b1c072a4f2cbd2be60b058833935d9eb5a6073537ddd9d28f2d6f26ada52ee2305b9e7f9ddde2f989

memory/1092-87-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1092-88-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1092-89-0x00000000072E0000-0x0000000007372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe

MD5 9ffab6d848973016931d67e94f6b3f9e
SHA1 cbb64af817ff95237c107f4e8838b642effb0e36
SHA256 2f0f943047f9feb2f979de6582cf6e778427d10dd1fcc70f04ce0cdbd1ccbfb6
SHA512 5c0d3165bedf54b3e8d2396a8bd5be960f6f596d5b74b6fd3f8e63dace38fcf13edbd127fab7913ba9f887e9064c3aeaae9afd4b1de7ab7dd4a0488d9faf40ed

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc5cd1.exe

MD5 9ffab6d848973016931d67e94f6b3f9e
SHA1 cbb64af817ff95237c107f4e8838b642effb0e36
SHA256 2f0f943047f9feb2f979de6582cf6e778427d10dd1fcc70f04ce0cdbd1ccbfb6
SHA512 5c0d3165bedf54b3e8d2396a8bd5be960f6f596d5b74b6fd3f8e63dace38fcf13edbd127fab7913ba9f887e9064c3aeaae9afd4b1de7ab7dd4a0488d9faf40ed

memory/1092-94-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/1092-95-0x0000000007290000-0x000000000729A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8141.tmp\8142.tmp\8143.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/1092-97-0x00000000083C0000-0x00000000089D8000-memory.dmp

memory/1092-98-0x00000000076C0000-0x00000000077CA000-memory.dmp

memory/1092-99-0x0000000007510000-0x0000000007522000-memory.dmp

memory/1092-100-0x0000000007570000-0x00000000075AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

memory/1092-104-0x00000000075B0000-0x00000000075FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_3584_VZWUANNIMDNKIKMG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1992_TWZUAZPQQZDBOKIC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b3f1da79c774aabc7377db42668d05fd
SHA1 4ae51e0aa411286ba8915cf6abd832abba96f5ab
SHA256 d09bd5e4e3e2029bda46b5d830e844211a63db7afad583c01b1c62b39a84a817
SHA512 ae67ff8586ccb159406298e014c48f2e54dfb06a309ef5c7b5994e9052cf29ddb0f761a743919876f46a5fda89a1c4c1c0a01ee71caae4735518a206298b935a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd4e16ab174921fa494f6c886a38d170
SHA1 e08a0f8dd542682f2753a1205b405c0dd0b59d88
SHA256 7e971c17b4368cc0db985f72d51b1ed94d3feb4b704575ec5db3157bb204cb85
SHA512 caf3bc62e4feece1142110b0b296a3e8cc92c9a23b3c1ed9d6aa1df3d187396e220da8d28df878c256a38ab849fd3d2c0983484cfb1754549d1f9a871461b50e

memory/1092-245-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b3f1da79c774aabc7377db42668d05fd
SHA1 4ae51e0aa411286ba8915cf6abd832abba96f5ab
SHA256 d09bd5e4e3e2029bda46b5d830e844211a63db7afad583c01b1c62b39a84a817
SHA512 ae67ff8586ccb159406298e014c48f2e54dfb06a309ef5c7b5994e9052cf29ddb0f761a743919876f46a5fda89a1c4c1c0a01ee71caae4735518a206298b935a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b31cf1ff8bf63192973c7d1325e18ed7
SHA1 4a748cd4489860b0bfd25eccde79abaff761c5c8
SHA256 964dd9964678d5b0d3656f7b9a5a5dcf6565bcaa049fed56d787cfee1e04a180
SHA512 434301054cf0b25b71663aca7c944220624478f5da6f5711f06c96b3c8d02b02775710dd7a62f94b80c54684c31a8c6ab1a6acf59fda0a7c9c12eadffa6e8f9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e72f482f672bb256479df48a99999bb1
SHA1 a8b26d2c09bc59dcfba6da5a07feadf413baf3c7
SHA256 acdcdb2c743ac2f6a0f97f90cdba68d6436c7c998a6d6971568949307e723c82
SHA512 267976ad130a86d3cecef9f7879d708e38a60e2c8416841df5fbb2ff1199b2341961fdb152ffd1b40a141a43e4f3d2565f657721c78b8dc22615c610410812dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 beaa0ca71907409713589bad56f43194
SHA1 ed92e405cb2c14e06a45b68abdd795d425d998d5
SHA256 2fd96e1a713a2724a17d8b7998e42f2c133774a2222ed71ad9996688871b0b58
SHA512 b47757c7548f51210226d08b12e5f8cb0afc2da962caec27d556ea83b0c37498bb4775ecbe843290d347f883013764007ca84c5dd0d283be39125d2c723a7f37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\F623.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\F623.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Wv57eP.exe

MD5 9d4d147233220521442956ab1e41861a
SHA1 b8377797207475fd453286d26f2d2a4bb8d83728
SHA256 c7df1e7fd95ac9e40120f055fe83ffd55998d2fb5e8406a787a3b0d2b5732e7d
SHA512 becc06ca3397f84171c7cff851ff7c643e730ca00b9097296c2bc88046bc2d76f127d2594a7caed6d98be9588f2010896ec3adb46c13bc3b7be2aaa8529ec5ec

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\FA1B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\FA1B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\FB26.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\FB26.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/4848-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4848-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4848-355-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC4D.tmp\FC4E.tmp\FC4F.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/1068-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1068-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1068-362-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Temp\FE53.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\FE53.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Temp\1FE.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\1FE.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/5560-379-0x0000000000A30000-0x0000000000A3A000-memory.dmp

memory/4848-378-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

memory/5632-384-0x00000000007F0000-0x000000000082E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4BE.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5560-481-0x00007FFA95FB0000-0x00007FFA96A71000-memory.dmp

memory/5632-482-0x0000000007850000-0x0000000007860000-memory.dmp

memory/5684-483-0x0000000007970000-0x0000000007980000-memory.dmp

memory/5632-484-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5684-485-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5560-509-0x00007FFA95FB0000-0x00007FFA96A71000-memory.dmp

memory/5632-510-0x0000000007850000-0x0000000007860000-memory.dmp

memory/5684-511-0x0000000007970000-0x0000000007980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 082f641a21e6b42f4664b71c7261fcc0
SHA1 ddf5f7fd2608e0b78f107e1d85264c372269e9ac
SHA256 9ea93e584942140eeb17d411c101c864c70989963dd6254fc8b90ef29a5b4eac
SHA512 97411c65cc33ca79adce3fd0acbdad3bf0b2837a2b4e8f756598965bdb921234b1f19ad7f03163196af948dd5c39719481f2460f4e089172a5330935b9fbca09

memory/5560-545-0x00007FFA95FB0000-0x00007FFA96A71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a6f4.TMP

MD5 aafc97fc8853041734760269d95a63c2
SHA1 138b084c9f5f654cace3ad551aa6c4a03b27b75c
SHA256 c267efd77fa4af8c00c4a3f94b86024a07b3ae8587192c893188cca43c3986f2
SHA512 e5fea0d115fe8ccf6009d33ae61bad541ce172767ec5ecddb04f3d1f2ae493ac60b5213e1fcef5019f6a061062ceff9acd5641e98171ea7c33e15e4922ea7959

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 80425d045881e9f920f540ca1d0cf22c
SHA1 6c98c416637eef316b3180e1dba1abd0967bb743
SHA256 b8d3378b7af46ed3f22664dba5ec836e1e008367c72c7aa7b0fbbaba08d1a148
SHA512 d217fa2d6c994a83aceb52e84aa7c323c5c73e39c58251faf7aa927dae4e7b72640e503ea6fe8ca2c1323638643ec189218ce419874c4d7620629da5c69a9de9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4d49938cfb41f6b23c9c0ab3ee211bc0
SHA1 8f1f1be59734f8279b596a024fab8fca0b5290e5
SHA256 07982de27ad2af276b22758c996e8cb4e5bc174919b47135dea91a6e721f6350
SHA512 dd22d5c328dc5afe86c2310a4b60e421cef1f98983f5d79d8469f470e8f899f95fcc0155b0146b3686de33cb5ebe1311e3e6f8b7f472b1e66f3666c951edd117

memory/2632-562-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 fca118b10b39c6a5ccbd41836c9fdc1a
SHA1 396a69e6f501b7ceff45ddb1d365e0bf00f73720
SHA256 5476997817a32ab11036754ce4be6630b1cb4e5be9c46906c0a328c54e9a4b6d
SHA512 8752e7fb86a705b9aee8fd83d5f156c18563a8cd68c1d66c2f23c9ddba4f9954ffb79d24d8f3aefd7f087679107a92aa113e8f88823fbefb2e3e2f3ff8190a41

memory/2632-563-0x0000000000020000-0x0000000000F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4f98340714e49653a52ce9087c963d49
SHA1 970f5b869e0ce3de612f60255c54ee58fb939baa
SHA256 728a70daa9c6bcf6f5570dbbc21f3b82af91d424c2f76a1c3b515b5edb473bba
SHA512 e12fbc7963d2f9856f5a2d4b454195cd3fddfd9063a7b31a02a7acda79a5e2da2f1811bc518af283f2973fcbf295c08cb370c65e0fcc130eea710c6a40ec9033

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/2204-601-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2204-602-0x0000000000D70000-0x0000000001286000-memory.dmp

memory/2632-608-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/3144-610-0x00000000023A0000-0x00000000023A9000-memory.dmp

memory/2204-612-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

memory/2204-615-0x0000000005B30000-0x0000000005B31000-memory.dmp

memory/2204-614-0x0000000005DE0000-0x0000000005E7C000-memory.dmp

memory/4112-613-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4112-611-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3144-609-0x0000000002590000-0x0000000002690000-memory.dmp

memory/5460-617-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5460-619-0x0000000000700000-0x000000000075A000-memory.dmp

memory/1480-624-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/1684-627-0x00000000007D0000-0x00000000007EE000-memory.dmp

memory/1480-625-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5460-629-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1684-631-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1480-632-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5232-633-0x0000000004720000-0x000000000500B000-memory.dmp

memory/5232-635-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5232-636-0x0000000004220000-0x0000000004620000-memory.dmp

memory/1684-637-0x0000000005040000-0x0000000005050000-memory.dmp

memory/1480-638-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/2204-641-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/764-642-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

memory/4112-643-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2204-646-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

memory/5232-648-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 226a644e62f4322853a1b1457b733e57
SHA1 c40d63b9771f309354c41f60b00cee390625f8f6
SHA256 4997db8ff7d74fcdf70d8ff577d719877d324718bc32d2f944f46d489c18e4f3
SHA512 8d58992f6fe1919d1830db2e00812b5ac6bdf518fc30b17c6cf9e73329a5530e28755d66b7e3dd421a7f77d79ff68896b7129f156e8711b2311b52b15996a44a

memory/2204-670-0x0000000005FE0000-0x0000000005FFC000-memory.dmp

memory/4744-669-0x00007FF7BE410000-0x00007FF7BE9B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/5460-676-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5460-677-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5232-678-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1684-681-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5232-682-0x0000000004720000-0x000000000500B000-memory.dmp