Malware Analysis Report

2025-01-23 11:29

Sample ID 231010-27fbcaah88
Target 0f790705c38d456af7c8a0147e9c35e4.exe
SHA256 3a1a46d10a40bb66b4472a6afc593cb7708e933e7b5354449cdf47b4d528fc94
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware trojan mystic lutyr magia stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a1a46d10a40bb66b4472a6afc593cb7708e933e7b5354449cdf47b4d528fc94

Threat Level: Known bad

The file 0f790705c38d456af7c8a0147e9c35e4.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware trojan mystic lutyr magia stealer

Detect Mystic stealer payload

Mystic

Glupteba payload

RedLine

SectopRAT

Modifies Windows Defender Real-time Protection settings

Detected google phishing page

Healer

Glupteba

DcRat

SmokeLoader

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Detects Healer an antivirus disabler dropper

RedLine payload

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 23:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 23:13

Reported

2023-10-10 23:17

Platform

win7-20230831-en

Max time kernel

168s

Max time network

183s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\7092.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1776 created 1256 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6A88.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C4D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7303.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\500B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5643.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7303.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2F.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\7092.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\65C5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000a0954968341fd80370792e0c14b40970655d31422304a357e10869590975477b000000000e80000000020000200000001d0dfdf65dd868b72bab92960fde0870b73ea4ebfadf6ca9914758011c3a6b48200000001cdf776d9a8074860dcac1234c2c1f703240d9658b406732a39f6f8df48d9e7b40000000c778e83028d2f161c6dbe320065efec8f6edc60a2ecb7f43fc8455cbc6a569590f4545acf8b7d5e0e55b2ec7bf892680d08ad3c7dbba3cc7de35af1fb2568b2a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000d6d738693dc63b06b12dfea95a05daf07556980ff06b1a298a052d48f67545b5000000000e8000000002000020000000e48b9a48b2dab6908e9dcb0aefdce5d8f2afd7e3fe9ce539011a4656af55b68790000000f531366193437b8f4d13fad4a665c02bad1a77eaf004be0e51536395c18ea3b182df13433587be52fb511916a3867b81793142883df0c991b34b869b4ce72059f363f5bfd5bd6c4bc1e229ce14ad247719c5933b6e8d9513cbc80091939c43e182e2e033a09a59e6b41b972536475637f5a3e1560bd4a9fb4f24782c9aa5c8413c3b6b68604e3a372629844a3109dbb940000000d41616c75050152615e28fd8b8094b02ee91707a963bf0470e6c7b0515f44916e2630346d04429e049cd4d585ba7362bc678a199d65265c4275f27e2d12ee80c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC7C3F11-67C2-11EE-9ADF-D2B3C10F014B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a05baadacffbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403141612" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC64BF71-67C2-11EE-9ADF-D2B3C10F014B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7092.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5643.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\59EC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 2252 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 1592 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 2708 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\SysWOW64\WerFault.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 1256 wrote to memory of 2536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\65C5.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2536 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\65C5.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 1256 wrote to memory of 2196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\67B9.exe
PID 1256 wrote to memory of 2196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\67B9.exe
PID 1256 wrote to memory of 2196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\67B9.exe
PID 1256 wrote to memory of 2196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\67B9.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 804 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 2196 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\67B9.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe

"C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 284

C:\Users\Admin\AppData\Local\Temp\65C5.exe

C:\Users\Admin\AppData\Local\Temp\65C5.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\67B9.exe

C:\Users\Admin\AppData\Local\Temp\67B9.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 132

C:\Users\Admin\AppData\Local\Temp\6A88.bat

"C:\Users\Admin\AppData\Local\Temp\6A88.bat"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6AB5.tmp\6AD5.tmp\6AE5.bat C:\Users\Admin\AppData\Local\Temp\6A88.bat"

C:\Users\Admin\AppData\Local\Temp\6C4D.exe

C:\Users\Admin\AppData\Local\Temp\6C4D.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 132

C:\Users\Admin\AppData\Local\Temp\7092.exe

C:\Users\Admin\AppData\Local\Temp\7092.exe

C:\Users\Admin\AppData\Local\Temp\7303.exe

C:\Users\Admin\AppData\Local\Temp\7303.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:340993 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {B9B525F4-1E64-4EDC-94AC-552A57DA2704} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\9D2F.exe

C:\Users\Admin\AppData\Local\Temp\9D2F.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\500B.exe

C:\Users\Admin\AppData\Local\Temp\500B.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010231636.log C:\Windows\Logs\CBS\CbsPersist_20231010231636.cab

C:\Users\Admin\AppData\Local\Temp\5643.exe

C:\Users\Admin\AppData\Local\Temp\5643.exe

C:\Users\Admin\AppData\Local\Temp\59EC.exe

C:\Users\Admin\AppData\Local\Temp\59EC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.251.36.14:443 accounts.youtube.com tcp
NL 142.251.36.14:443 accounts.youtube.com tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

memory/2728-25-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2728-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2728-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2728-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

memory/1256-32-0x0000000002A40000-0x0000000002A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65C5.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\65C5.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\65C5.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\67B9.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\6A88.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\67B9.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\67B9.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\6A88.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\67B9.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\67B9.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\6AB5.tmp\6AD5.tmp\6AE5.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\6C4D.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\6C4D.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\6C4D.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\6C4D.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\6C4D.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\7092.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\7092.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\7303.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\7303.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1804-139-0x0000000000B00000-0x0000000000B0A000-memory.dmp

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC64BF71-67C2-11EE-9ADF-D2B3C10F014B}.dat

MD5 5004fbf2e75d8083527e9828ed0dfab7
SHA1 25c943323e081da3609c0623efe0ac328e32012b
SHA256 ecac0df08dd3927a6e07993bde35836da5de87afba4b4d8e655cb83f0e9e2347
SHA512 6be63e0f98b3da986af35c07e9657f3c7a8d3a169d9effdee1b5312f761496575cea1c1919415c53063dfacbd6f73c45d4dc7905fac562ce51486ea7ac1a334c

memory/1804-185-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7DAA.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar7FFE.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a70ffd8608358e2e34c7f5a256d22c5
SHA1 ccad70d2f5f230e421d772105c428925b643ba98
SHA256 55f1cb1af3edfd094bceb2478ed93dd3f8329517de686c06517c108cd9a05bcf
SHA512 89acdfceef3d57e8833a020a93a804fc398dd3a30f4717baa1cff16e7663fc84391f003eabc4482f6ef8f3181a41a06e5078d53537185af7bb2f299218931bd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a70ffd8608358e2e34c7f5a256d22c5
SHA1 ccad70d2f5f230e421d772105c428925b643ba98
SHA256 55f1cb1af3edfd094bceb2478ed93dd3f8329517de686c06517c108cd9a05bcf
SHA512 89acdfceef3d57e8833a020a93a804fc398dd3a30f4717baa1cff16e7663fc84391f003eabc4482f6ef8f3181a41a06e5078d53537185af7bb2f299218931bd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22f8536ef2fbee2d8b82b415c0df8749
SHA1 881a10c9c80fa76069e36c7e57493a724a2cbd02
SHA256 f42f88e03f1c77d2e3223af042def9d35f75457e067205f52d20d2ea7dc44075
SHA512 048a4b21ab6abc64bbc564e608397a446cbdeb8b1ecbe1aef67f42779ac1b3526843d5ab6f12222813f3a3973636544dea0e6a34c1d9d4c55cd96e13699f3c7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22f8536ef2fbee2d8b82b415c0df8749
SHA1 881a10c9c80fa76069e36c7e57493a724a2cbd02
SHA256 f42f88e03f1c77d2e3223af042def9d35f75457e067205f52d20d2ea7dc44075
SHA512 048a4b21ab6abc64bbc564e608397a446cbdeb8b1ecbe1aef67f42779ac1b3526843d5ab6f12222813f3a3973636544dea0e6a34c1d9d4c55cd96e13699f3c7f

memory/1804-350-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9T67D7I\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 989fe37552e0e1850a97bdf500a3a42e
SHA1 ec13000ab830e6549547a31b9d9ca2d741d16588
SHA256 c0529378cfbb416748986d8b6e1e43c27dbf4e682fac48c651466f6548df10bf
SHA512 39a3a5609defd9b9d3e425334650ea51ca839b4a88651af541f71e55b58b476c474b0e7798d36268740522d072a92ea67f1573b91366e76a7c75e679dfd0b79a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HCMMLZVL\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/692-515-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/692-516-0x00000000009C0000-0x00000000018EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/2584-536-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/2584-537-0x0000000001300000-0x0000000001816000-memory.dmp

memory/2500-541-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2640-540-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2640-539-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/2500-543-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2500-544-0x0000000000400000-0x0000000000409000-memory.dmp

memory/692-546-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/1804-547-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

memory/2584-548-0x00000000054B0000-0x00000000054F0000-memory.dmp

memory/2584-570-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2076-569-0x0000000004020000-0x0000000004418000-memory.dmp

memory/2076-595-0x0000000004020000-0x0000000004418000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec80e09e02dcb56e34465a16bf0c52f9
SHA1 865b2555b4d7c4465863a904fc519e24ac38eac0
SHA256 b71db66e2e8e8a010b366aa9591923d15fa7a3a2fd3603904e55ddaa7efb6df7
SHA512 03ba32fa7aa2daae217ff6263d8a43bd3df797b509b05601259490cbd7bb68a6ec87f55297a443d049ff6eae5c1cd144226c1db1928af9263c73d4cdc71d2350

memory/2076-596-0x0000000004420000-0x0000000004D0B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6096d8b9023cf0c72ccae79186b5b5e2
SHA1 24a6e468e63b06625400879b7cd25a029afa8264
SHA256 f290837807ca88c09bc28c171002b58d5163601da5f5d4f4505cd3aebd9e639a
SHA512 b6b289ab2d0f530907048d2cb8c573af089992b3c21d74cd000ed2adfae21251215578e48600ef5ae2092df57f9c7db013c650fd0f37e842e5c19d8889fb206d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27df2e00626528ac4a12ceb4288165dc
SHA1 7a87fe0e2462f7c25bd7341894dd55b7725d528b
SHA256 6d840c4492d6c0b9471f7902d9f834e1199b5f2aeba87b1b933ccb98f6ef00fa
SHA512 7600646476116c7718a46c081f0d0638d3aa45ce30a980e227b1021c974a376c21e743443292cf13d296948d0262a7528d7d9e7da1b2f23b20734d733606c335

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c7d2bbac933cf3cd1e3ac15f9b6edb0
SHA1 e13b100437fb95ebbc2d35dd21c845f8d9e76e55
SHA256 7b872c4acf77804e6f215478b54104b88bd1d5bbec17820bba8b54b35b31a3ed
SHA512 048cca08a6a1f95aff2e35d370627227f306870b3eb6146055eb2c0b74c2f143f4c001162bc6daf4f3c07262afe521932ddc19e81695f3ab86a9f44e45b972f2

memory/2076-689-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4ca32e8ddd53b817ccfe0caa42f8137
SHA1 1a3f058501a6dcccfc552280618f3878dcf1a932
SHA256 8f3346301f10f81a15f9b9754c43d15c92e4b5f5e45da214f34d0099675e101a
SHA512 0dd55b6a6d3d87625f3dca1b67e317d19470aee367afa9cf4d3914093c5581c7859cb07bcc555a792d02e2d7dc0beac7332fb365ca901d59a52f0185b0c41fe4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32ae7365e8652f54251ba3b4395178d4
SHA1 23201a0684a9b55c1db7cb594db76cf0ac5246fd
SHA256 92afea8e3843e00aa06b2c2e2b12831895e8450eace8489a81b7d9998d16a314
SHA512 a47467aa19868f312f8ffd52fe266a912a2c2a17e00a0c85a8519c5e9e76a568b9f4b91b827ed2ca0e9a0aa782b341c8b86e1471b107cfdf0af5a9b81f48b087

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0167c5eafacfe0fe372ebe8f7dafdd5
SHA1 edaaecac598ce51f15a59e03662f68199d4e0efe
SHA256 756dc2096b384a1d609eccc3eb878b2afa3fb7286b0345e97173ed6d497b3133
SHA512 65f17f096bd8c6644853525a92b8fbec4c6e344f675448372b0e5e86b59e7709dae7ffbe2a7e771cbbe4d014acf7ab7f0d14456c0d84c507cfb0eed4df656f95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b81af3ab53db18a288441eb4aad3149c
SHA1 f4c41d257b3180392f86d801e093262dd6a74172
SHA256 060c1b198b2c78db68c75bf121a19df3a2804ca8d11aeb405c35e79e6c2256ab
SHA512 ff0fd4c3affa7ea5906a10ba4bdf5bd30a244854d11ef305b5013b214ae7e51f4d239e1c2a95340a68f6e18c022640274031832ab23da8533e904651d43ae7d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 51f5160b889ec7c73b356a36bc6b57c8
SHA1 83821283a7e2d9a7f200567a6eea73b1dc9efa8f
SHA256 5601df430ceff5fb03df8ec02712921f9a1d884f30f9467546c297837bc20fa0
SHA512 b528427c63f248581c95d5fe9e060d3be9fc65442ece844359d01da0758af55f06c99f74e8405204f821efec40bb433139c40bd943186b8e4c26c8d503cf3d9e

memory/2584-870-0x00000000704D0000-0x0000000070BBE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb20b430314f3fd986d980f077f87dde
SHA1 b70ba6d60b275ec2751aa2a06468dc368225227c
SHA256 7a981744b88f35a5765574df0e7549561a107dc5e213abcd8b4198c35c277598
SHA512 927b43f7fc136ec4175730357f6552ebf0337a3b4622b9394f2b604aaab45c7ad2932a68e64e2baeac7dfb2d5f80d2e6fbbb87b5e00575ebcd7959cd74a57ca1

memory/1256-939-0x0000000002630000-0x0000000002646000-memory.dmp

memory/2500-940-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2076-955-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2584-956-0x00000000054B0000-0x00000000054F0000-memory.dmp

memory/1776-958-0x000000013F7F0000-0x000000013FD91000-memory.dmp

memory/2076-967-0x0000000004020000-0x0000000004418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\500B.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 800047695f6f9726030bd0ba1db2092c
SHA1 af7c51f01d28cefe267631e1a78689cbecb50f9d
SHA256 3d7b706f219a4316e4f87b0e84227659bfcdf31437c2c086cbea3688be066b79
SHA512 04c1647cccfa9e7140e21bbe07f4bf68ad652ebbebc9b30f42cabeb89709254159464cf15a084b266b4e96e7fa332ccad8cc95c8d56b4e575ead5185e3bbb1cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98f161b0eb72239bec8fbf45c95d42ed
SHA1 d2724737a786664eae0986f5f571fc4af7f91de8
SHA256 7d9c0bdb15c4cddbe96259a9c1c26afb0ef30d15e87e7897d72ed771c58bac5e
SHA512 026e069b430b0935dd8a7b7d129c8eed616a14a7435321782ebb205cb79d453d66a44a07cd8dae0e78dedf0a940892e11ad0e97320fb5c8af51e442c92223be5

C:\Users\Admin\AppData\Local\Temp\5643.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2696-1071-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2696-1072-0x0000000000270000-0x00000000002CA000-memory.dmp

memory/2076-1077-0x0000000004420000-0x0000000004D0B000-memory.dmp

memory/2696-1078-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/2076-1105-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1608-1117-0x0000000001340000-0x000000000135E000-memory.dmp

memory/1968-1118-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1608-1129-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/1968-1131-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1968-1134-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/2076-1153-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2696-1154-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c7cd5ff6d2b312b38ae3b406e8d09ed
SHA1 110313cd1bfd77711d4fb7df8810d02ae85c775f
SHA256 5a2d2fcf16dfa7d47a69c66657a6c834a913d6becb0f3053d194ea0fefe528d4
SHA512 71e4fbca3ec03ffa468fc6ea01f109a374ae157f0ce7c8f63d04948c7557609e6ece31d46bb938e8560ef521b176f695e8f3c144ac535e03f4911ac1713090c9

memory/2696-1169-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/1968-1170-0x0000000004760000-0x00000000047A0000-memory.dmp

memory/1608-1173-0x00000000704D0000-0x0000000070BBE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf52eee2bece4cdb39484a12f2fa14c3
SHA1 de45fee5e48c8846f12b65eaa4bd4003be17bc41
SHA256 c5c5372f337436b26789bacb1796de45151d06bf282d3905851a4af7b1ed1a43
SHA512 902b0c71cb14d07ce98c04b0e7ba4bfaf0a5d6296eb298e83aab1e23726f9ffb4bf170c82467c03e1ac9cfbf9ea4912856108910eb3fca10f5fe882f4d070114

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0682f93e6576ccadb661ae02574b08d1
SHA1 86e5e4afcc67e091de2bd20f764e353be4f7e324
SHA256 304935c51fed329d14be60edbf9384f71323e6dbe3529f0fd7005b56ae69e2ef
SHA512 fe3f9603859570260107d7510f1aab0835337bd05ef13a23b3c8ca618890b1febabeccc92eba1090fa09a92e4326b12742282e519d25f78280cbc0a71fde0bfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fecccb34d24fe462b60befea627efb2
SHA1 5c509c62b1f78a13bd01128f22b0fe503b28813f
SHA256 6aeefd0caaaa52f0cadfc3749d931c767112d5047532ffdfe77f3279bfe7d416
SHA512 249d88005784c7e648168aae8464e1413729593c9d741a9b71e791dc214bee3bda58cd888a4f798f80395f9b59ff6ed70e6a79eb4832030bdbc4774db54723ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cc33810d3fb700f7dd472c1a2d9cba7
SHA1 a089a2f419ff234a2f585bf9fbd0f8a34e24976d
SHA256 7ef292c9efb6e6781200f223d916627e320211c3758c09fcc6248668ba5f372c
SHA512 78f95e3acc7420f82b25703f37d9b44bf4f8109773a9020e784d48ccba477afb142fe202503452cc24a44e5abcbec7bd802e20f05f105f09c6cf6df5097d89cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1e89d407af093f84ec38610a9e38227
SHA1 c5370168c2d2f1ff43a9b7b6fb37ab5c2b61ea7d
SHA256 c5cb606d12afcecdaaafd8b9f87f2a8c610e94da2d21ed69865d0e4d9c322ad1
SHA512 444d64bb873cee1516e706703a7b99ec2e30f45ab2c515240e7a803608f0b6883ef336382fd739b0818b17c1a4962cbedf4d3e633980d19cfcd02a8ad0164e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1ef3703808e34259ec64b127b792808
SHA1 61f9bb5fda026d4178bdc92d1e1e2e21de5a77ea
SHA256 3cff76b76c78e52abb1565c274724bbb8bff6052537481c66eb5377b716b86ea
SHA512 2bcd7d6aa7dccdb98e9adcfcc414a88ec054e52c26754a848cb4f644a34a9c654215170c35c59b14c43fc924467bcdb39fcc28dafe676b567f63fc7acd3e3904

memory/1968-1452-0x00000000704D0000-0x0000000070BBE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8eb8716ba12b5a84b3f349183f6a6433
SHA1 4d7626e4fb700e033612c9ea0ecd8b737942b33d
SHA256 d26606b48d08bcc1f2c0acbc2314e2edb2c67b418cc74ea2c182c27524e5a070
SHA512 7c2c8ba22b0cfdefc255057602c5c68e72e97368c18b4b9d951db138379be8fe2800ceca93343e3befae6c9adbb1ec31b45cda1aebac3806023cdcc34f430808

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e235d1da8383a3e989084115b3bf2777
SHA1 298183457c8a3ec44b961a109ea06efbb8efdb03
SHA256 5335eeed763e726ea5dc9c972d912bc94a0dd21135462b0fcfe9498dcad515a4
SHA512 eb448df3a0133cee9ead6361acb6f96ac7539470b16943f824c632b8f3790222ca68adb948253137133fc0aee6c6d2ffe50e023f09d76d0dcb2f431d0b4bb6be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76be5de1de964c447e3f54ec28ef3853
SHA1 35829cae7d87f82b334ec019434d30a1817cc297
SHA256 e6d638d306f9c0c89f5aecc4b9af57a9e81be77f8c35a199867bb51e436f01ba
SHA512 dedea8dc6d9f416929b84979a80d57bf3be8d8af10203fe09a31e0a687ad0586f62ef9fa4591fb88386f276297e7f9d1bc80b82f346cc38845b8eacbc6d87db8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 889375557890431f976ca911de0d26a9
SHA1 6708f578f25b9027025a2cda284a24bccdad1fe6
SHA256 08023195ee3941ce946e5cef962933a8aa39b3cd6e54cb4ec6a8c208ae501daa
SHA512 2fb7a50a627e733ef78923ff78b3a489731f50189e9a9c653a883cbf3ec3376fd5794b4a0b2123ffaf11ac3c0c46462d683f956908456453e36347bdbb248100

memory/2584-1701-0x00000000006B0000-0x00000000006CC000-memory.dmp

memory/2584-1702-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1703-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1712-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1714-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1716-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1718-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1720-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1722-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1724-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1726-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1728-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1730-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2584-1732-0x00000000006B0000-0x00000000006C5000-memory.dmp

memory/2076-1760-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2584-1761-0x0000000000710000-0x0000000000711000-memory.dmp

memory/1968-1763-0x0000000004760000-0x00000000047A0000-memory.dmp

memory/2256-1768-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2256-1770-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2256-1772-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2256-1773-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2256-1774-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2256-1775-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2584-1780-0x00000000704D0000-0x0000000070BBE000-memory.dmp

memory/2304-1781-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/2304-1784-0x0000000002790000-0x0000000002810000-memory.dmp

memory/2256-1785-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2304-1786-0x000000001B120000-0x000000001B402000-memory.dmp

memory/1608-1788-0x00000000012B0000-0x00000000012F0000-memory.dmp

memory/2304-1787-0x0000000002360000-0x0000000002368000-memory.dmp

memory/2304-1789-0x0000000002790000-0x0000000002810000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 23:13

Reported

2023-10-10 23:16

Platform

win10v2004-20230915-en

Max time kernel

190s

Max time network

211s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F25C.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EA1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3610.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F25C.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3610.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C90A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFCF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3265.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\E4AE.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AD8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 5068 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 5068 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe
PID 4128 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 4128 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 4128 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe
PID 3132 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe
PID 3132 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe
PID 3132 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe
PID 3132 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe
PID 3132 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe
PID 3132 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\F25C.bat
PID 3132 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\F25C.bat
PID 3132 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\F25C.bat
PID 2264 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2264 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 2264 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\E4AE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 748 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 4032 N/A N/A C:\Users\Admin\AppData\Local\Temp\808.exe
PID 3132 wrote to memory of 4032 N/A N/A C:\Users\Admin\AppData\Local\Temp\808.exe
PID 3132 wrote to memory of 4032 N/A N/A C:\Users\Admin\AppData\Local\Temp\808.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 748 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\E80A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8.exe
PID 3132 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8.exe
PID 5040 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 5040 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 5040 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4496 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 4496 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 4496 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 4644 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe
PID 4644 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe
PID 4644 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe
PID 3132 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA1.exe
PID 3132 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA1.exe
PID 3132 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA1.exe
PID 4412 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe
PID 4412 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe

"C:\Users\Admin\AppData\Local\Temp\0f790705c38d456af7c8a0147e9c35e4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3004 -ip 3004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 596

C:\Users\Admin\AppData\Local\Temp\E4AE.exe

C:\Users\Admin\AppData\Local\Temp\E4AE.exe

C:\Users\Admin\AppData\Local\Temp\E80A.exe

C:\Users\Admin\AppData\Local\Temp\E80A.exe

C:\Users\Admin\AppData\Local\Temp\F25C.bat

"C:\Users\Admin\AppData\Local\Temp\F25C.bat"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\808.exe

C:\Users\Admin\AppData\Local\Temp\808.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 748 -ip 748

C:\Users\Admin\AppData\Local\Temp\AD8.exe

C:\Users\Admin\AppData\Local\Temp\AD8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\EA1.exe

C:\Users\Admin\AppData\Local\Temp\EA1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4032 -ip 4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 404

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 388

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B8F.tmp\B90.tmp\B91.bat C:\Users\Admin\AppData\Local\Temp\F25C.bat"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 716 -ip 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1960 -ip 1960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2608 -ip 2608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\3610.exe

C:\Users\Admin\AppData\Local\Temp\3610.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9BF8.tmp\9BF9.tmp\9BFA.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c61946f8,0x7ff8c6194708,0x7ff8c6194718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8c61946f8,0x7ff8c6194708,0x7ff8c6194718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x80,0x78,0x84,0x70,0x88,0x7ff8c61946f8,0x7ff8c6194708,0x7ff8c6194718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8c61946f8,0x7ff8c6194708,0x7ff8c6194718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\C90A.exe

C:\Users\Admin\AppData\Local\Temp\C90A.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16467501515971427205,2671254891067059711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\DFCF.exe

C:\Users\Admin\AppData\Local\Temp\DFCF.exe

C:\Users\Admin\AppData\Local\Temp\3265.exe

C:\Users\Admin\AppData\Local\Temp\3265.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4499542.exe

MD5 1377782f5fbac0d78f45f7d690db24ce
SHA1 398ab45285f557c948b32c23dc050158852ec1f3
SHA256 9b3ae39eb225c49ca428bbff68f2c33a6c891c68d2ad9d58f47cb88c1b3bfee4
SHA512 88ba89b96ddaa267f59aea901684e355a6549ec92dc210a3f7d4a42e32dfad73995da30f4063c0331b16673c5fc65b361b1bf898f2be2b8d86aeba102f4d9f92

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9777033.exe

MD5 c414d07f769305cbee971ef6f8a5ade5
SHA1 48349d7a7ab93bcff9ec15451e82a9c411cd683d
SHA256 b5cb63c23fe3b809caab02751515cbcb1b7cbc3c50abcdf20885c41a84cab8f7
SHA512 8c0cb945d91619a9a2d24392021b94991d33705841714c618af4cadac0cb0eac643515f0eb31fbc3de52c1314509b1d812971fbf811e39953e026083dd16fc37

memory/1240-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1240-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3132-16-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

memory/1240-19-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4AE.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\E4AE.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\E80A.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\E80A.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\F25C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\F25C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\F25C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\808.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\808.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

memory/1144-52-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1144-53-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1144-50-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1144-54-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4340-63-0x00000000003E0000-0x00000000003EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

memory/3580-68-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\AD8.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\EA1.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\EA1.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4340-85-0x00007FF8AD6B0000-0x00007FF8AE171000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\AD8.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3580-91-0x0000000072C70000-0x0000000073420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

memory/3580-95-0x0000000008160000-0x0000000008704000-memory.dmp

memory/1144-90-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3580-96-0x0000000007C50000-0x0000000007CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3580-102-0x0000000005710000-0x0000000005720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1960-107-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1960-109-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1960-106-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

MD5 d9164726ba4a40cc32b74abce71e268e
SHA1 b8c512a12fde199531b3fa65b791bb6d72a3b5a7
SHA256 02640a99c85464b56bfa4284f8d6b15df9f4acf9dbf4e9e9776ccb89266a5cc4
SHA512 4d769e64804a677fafbdf8735266ba8d5f0d9065307c6258c1c516bfdcc96e3652f2a15506c5ad729fc7a89cb0e838d09ac882c8653aac01592fbcbc565dbc80

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2344812.exe

MD5 d9164726ba4a40cc32b74abce71e268e
SHA1 b8c512a12fde199531b3fa65b791bb6d72a3b5a7
SHA256 02640a99c85464b56bfa4284f8d6b15df9f4acf9dbf4e9e9776ccb89266a5cc4
SHA512 4d769e64804a677fafbdf8735266ba8d5f0d9065307c6258c1c516bfdcc96e3652f2a15506c5ad729fc7a89cb0e838d09ac882c8653aac01592fbcbc565dbc80

memory/992-114-0x0000000000400000-0x0000000000428000-memory.dmp

memory/992-115-0x0000000000400000-0x0000000000428000-memory.dmp

memory/992-116-0x0000000000400000-0x0000000000428000-memory.dmp

memory/992-118-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8F.tmp\B90.tmp\B91.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

memory/3580-122-0x00000000080A0000-0x00000000080AA000-memory.dmp

memory/4340-125-0x00007FF8AD6B0000-0x00007FF8AE171000-memory.dmp

memory/1532-128-0x0000000000650000-0x000000000068E000-memory.dmp

memory/1532-129-0x0000000072C70000-0x0000000073420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3610.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\3610.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/3580-131-0x0000000072C70000-0x0000000073420000-memory.dmp

memory/3232-133-0x0000000072C70000-0x0000000073420000-memory.dmp

memory/3232-132-0x00000000001B0000-0x00000000010DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

MD5 165f7d6eb036ef8ec1dcf923ddefc1b5
SHA1 6255df849b42b3d6b57aeef23cd1c1ff05d3dd99
SHA256 9c7a938863bf69b9ac10297addb211c36164ab1393118b26f8c128adbc97b767
SHA512 e6caa58f9172691f77b0a3115752a8ec39cbff9d625a0e36b1f54475203105ff052253daff4c14a2acde15a7e80be9e8e9a23412e69376d3c84dbb231bff51ea

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3763208.exe

MD5 165f7d6eb036ef8ec1dcf923ddefc1b5
SHA1 6255df849b42b3d6b57aeef23cd1c1ff05d3dd99
SHA256 9c7a938863bf69b9ac10297addb211c36164ab1393118b26f8c128adbc97b767
SHA512 e6caa58f9172691f77b0a3115752a8ec39cbff9d625a0e36b1f54475203105ff052253daff4c14a2acde15a7e80be9e8e9a23412e69376d3c84dbb231bff51ea

memory/1532-139-0x0000000007720000-0x0000000007730000-memory.dmp

memory/3580-140-0x0000000005710000-0x0000000005720000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c126b33f65b7fc4ece66e42d6802b02e
SHA1 2a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256 ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512 eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

C:\Users\Admin\AppData\Local\Temp\9BF8.tmp\9BF9.tmp\9BFA.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_748_UVHAZCIBSASMZEBU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 54d584878f3c390fecd37b6eab8e0c80
SHA1 5317c3fe64b547a689d24d119fd59e672aa8ce86
SHA256 b5660f9e5d042886937a441b8934ec78211d487d3d87deef4463cc45bf79af92
SHA512 345779370e62764d2c45e91d75cfcad66e5ceeb539fe40549c8d7824efecc419efd74dc4d10cc2d5b74fc6cdf0a6205cf690db077a9115d642b90800d4943563

memory/1532-178-0x0000000072C70000-0x0000000073420000-memory.dmp

memory/3580-180-0x0000000008D30000-0x0000000009348000-memory.dmp

memory/4628-181-0x0000000002370000-0x0000000002379000-memory.dmp

memory/4628-179-0x0000000002380000-0x0000000002480000-memory.dmp

memory/3232-182-0x0000000072C70000-0x0000000073420000-memory.dmp

memory/1532-183-0x0000000007720000-0x0000000007730000-memory.dmp

memory/1896-189-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1896-193-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\C90A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\C90A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5556-221-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 caf64cf59b3f5c3d17104f13db9a454a
SHA1 37a382a7d7ed13671c39c65804116c0f2ef30748
SHA256 e1b816f206f22626888d8352a3fe2ecb5cc23ed79674750dd869b18973cc8295
SHA512 ffb1403916001473f5cb5aa4a919f889cd858ab025f56eee1bfb9b60015165eac2a57cd4b003f424c00593e478eb140f90090a66b126409bb4eee7e3362ba5ff

memory/3132-229-0x0000000002C50000-0x0000000002C66000-memory.dmp

memory/1896-230-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5556-234-0x0000000000600000-0x000000000065A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e994ce5690dd6b3b7e86d4c0f8c3f418
SHA1 7931846c05c54bc4834b8dd9567047a4d5008b5a
SHA256 c7a762abcb122631aeb485182bd9452a69f59e2a137b59875e72f7dacc736a8f
SHA512 37e6e3bd5a499e60906744c87030b66683da35006698afdc4b90ec37cdfa0d2794c1136ebef3773022027033cf5c7b2fe6e3e0638a0028ba300d2bcbea47fc14

C:\Users\Admin\AppData\Local\Temp\DFCF.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3a39c9e3d7b9fbba63906b5ec081ebf4
SHA1 48d7624cb01b2c9772e30dfbdc8ea85aac869ef5
SHA256 1cf8e04cfbadda617e0d6d3dfd60ae928b5c5924161e0ba59c01c60b2063d23d
SHA512 4a7ee3af2caf5f999d6e4c8f806d5c3e0c90c21871e3d65971bb9c8cc022a5475be9eaa23955f825dc2c13f23dc67711a0f35848c90c6f0e04250f70045e5d0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a7679.TMP

MD5 e151686086ea29e76c7ae96958f4e5b3
SHA1 443f8b603fb5cea196aaec266cb1a02d0019614e
SHA256 8898f5c9acea08fc77da79bd0318d1b0e110938740de050e31a5da1c166b5146
SHA512 07961dde197bc9348c4daec0d5f112053dde66d47c3c7dc23a9cefeee46675bb199a017ebea48875c586aa22eafa9ec0953e74bf8737a87e59056e6732a19581

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 772c99a8b7d897145c18138c5f2474be
SHA1 37882d4bc6b36b6e08ed711855f3389004e511e2
SHA256 8906cef33b08af95f971dc7d830a375d6035e83d48d6e951ee338dc17ee60a03
SHA512 054b3c0c628f3a5830c8f7d803adffe351ae1f980f0f8ebb6964c7c6396b26b39b9be9e46e3e1b18ec0e814c5f8f3ff7707abb5da84974f4b394c03f40456233

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f2216963beef6ed45a697371a440d2c2
SHA1 7ebd7da2d6470e1c5ca22d9f4fc6cfd9d8317534
SHA256 a0f9ecb127e92787f9d5dcd8702083cc09c863f04ff4664eeca735f6494fc6fd
SHA512 a1fff0e3baf80f5cbf52ed59a5117db301cc27eb8e3039b01eef788300ce33c876156f1cfc6fed83c6537cfc1ef7a4dd261a92c4f2a3361133c8da3a86f9f4e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d