Malware Analysis Report

2025-01-23 11:34

Sample ID 231010-2z33faag97
Target file.exe
SHA256 09bc171f5333f9d34f9a2f99915ed31613f6ca4c35a10699bfacca8524054b67
Tags
amadey glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor dropper evasion infostealer loader persistence rat trojan dcrat lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09bc171f5333f9d34f9a2f99915ed31613f6ca4c35a10699bfacca8524054b67

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor dropper evasion infostealer loader persistence rat trojan dcrat lutyr magia

Amadey

SectopRAT

RedLine

DcRat

Glupteba payload

SmokeLoader

Detects Healer an antivirus disabler dropper

RedLine payload

Glupteba

Healer

Modifies Windows Defender Real-time Protection settings

SectopRAT payload

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 23:02

Reported

2023-10-10 23:05

Platform

win7-20230831-en

Max time kernel

134s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E16C.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E3BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E813.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ADF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4552.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DCC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E813.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11C2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DBFD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3000 set thread context of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2304 set thread context of 112 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E62E.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2356 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 2068 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe
PID 2880 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe
PID 2880 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe
PID 2880 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe
PID 2880 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe
PID 2880 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\DBFD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 292

C:\Users\Admin\AppData\Local\Temp\DBFD.exe

C:\Users\Admin\AppData\Local\Temp\DBFD.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\DDF1.exe

C:\Users\Admin\AppData\Local\Temp\DDF1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\E16C.bat

"C:\Users\Admin\AppData\Local\Temp\E16C.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 132

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E189.tmp\E199.tmp\E19A.bat C:\Users\Admin\AppData\Local\Temp\E16C.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 280

C:\Users\Admin\AppData\Local\Temp\E3BD.exe

C:\Users\Admin\AppData\Local\Temp\E3BD.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 132

C:\Users\Admin\AppData\Local\Temp\E62E.exe

C:\Users\Admin\AppData\Local\Temp\E62E.exe

C:\Users\Admin\AppData\Local\Temp\E813.exe

C:\Users\Admin\AppData\Local\Temp\E813.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\11C2.exe

C:\Users\Admin\AppData\Local\Temp\11C2.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\2ADF.exe

C:\Users\Admin\AppData\Local\Temp\2ADF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 528

C:\Users\Admin\AppData\Local\Temp\4552.exe

C:\Users\Admin\AppData\Local\Temp\4552.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 508

C:\Users\Admin\AppData\Local\Temp\4DCC.exe

C:\Users\Admin\AppData\Local\Temp\4DCC.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010230444.log C:\Windows\Logs\CBS\CbsPersist_20231010230444.cab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

MD5 56561b0f5ca4cf290c75c3001613d3c1
SHA1 f197b60b93fad8f405e772eba2ee3243482e6502
SHA256 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68
SHA512 ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

MD5 56561b0f5ca4cf290c75c3001613d3c1
SHA1 f197b60b93fad8f405e772eba2ee3243482e6502
SHA256 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68
SHA512 ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c

\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

MD5 56561b0f5ca4cf290c75c3001613d3c1
SHA1 f197b60b93fad8f405e772eba2ee3243482e6502
SHA256 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68
SHA512 ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

MD5 56561b0f5ca4cf290c75c3001613d3c1
SHA1 f197b60b93fad8f405e772eba2ee3243482e6502
SHA256 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68
SHA512 ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

MD5 8d23bbf024acc1276c1ec3ea52e773c8
SHA1 7c49f18707918fc09d3f3916eab3de18bde06efa
SHA256 c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c
SHA512 b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

MD5 8d23bbf024acc1276c1ec3ea52e773c8
SHA1 7c49f18707918fc09d3f3916eab3de18bde06efa
SHA256 c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c
SHA512 b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

MD5 8d23bbf024acc1276c1ec3ea52e773c8
SHA1 7c49f18707918fc09d3f3916eab3de18bde06efa
SHA256 c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c
SHA512 b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

MD5 8d23bbf024acc1276c1ec3ea52e773c8
SHA1 7c49f18707918fc09d3f3916eab3de18bde06efa
SHA256 c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c
SHA512 b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2772-30-0x0000000001E30000-0x0000000001E4E000-memory.dmp

memory/2772-31-0x0000000002020000-0x000000000203C000-memory.dmp

memory/2772-32-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-33-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-35-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-37-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-39-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-41-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-43-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-45-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-47-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-49-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-51-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-53-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-55-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-57-0x0000000002020000-0x0000000002036000-memory.dmp

memory/2772-59-0x0000000002020000-0x0000000002036000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

memory/2996-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2996-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2996-69-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2996-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2996-70-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

memory/1204-75-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/2996-76-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DBFD.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\DBFD.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\DBFD.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\DDF1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\E16C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\E16C.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\DDF1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\DDF1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\DDF1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\DDF1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\E189.tmp\E199.tmp\E19A.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\E3BD.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\E3BD.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\E3BD.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\E3BD.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\E3BD.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\E62E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\E62E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\E813.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E813.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1780-180-0x00000000002F0000-0x00000000002FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1780-185-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/1780-187-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/1628-190-0x0000000000090000-0x0000000000FBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/112-211-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2304-216-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2304-215-0x0000000002414000-0x0000000002427000-memory.dmp

memory/112-214-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2636-210-0x00000000000A0000-0x00000000005B6000-memory.dmp

memory/2740-217-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/112-219-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1204-218-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/1628-223-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2740-224-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/2740-225-0x0000000004370000-0x0000000004C5B000-memory.dmp

memory/2740-227-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2636-228-0x00000000734A0000-0x0000000073B8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ADF.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2636-233-0x00000000051E0000-0x0000000005220000-memory.dmp

memory/2640-235-0x0000000001C00000-0x0000000001C5A000-memory.dmp

memory/2640-234-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2640-239-0x00000000734A0000-0x0000000073B8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4552.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2636-248-0x0000000000910000-0x0000000000911000-memory.dmp

memory/3012-249-0x0000000000020000-0x000000000003E000-memory.dmp

memory/3012-250-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2740-252-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3012-255-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2816-259-0x0000000000280000-0x000000000029E000-memory.dmp

memory/2760-260-0x000000013F370000-0x000000013F911000-memory.dmp

memory/1628-261-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2816-262-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2816-263-0x0000000002000000-0x0000000002040000-memory.dmp

memory/2636-264-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2636-265-0x00000000051E0000-0x0000000005220000-memory.dmp

memory/2640-269-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2740-270-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1780-271-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2816-273-0x00000000734A0000-0x0000000073B8E000-memory.dmp

memory/2636-274-0x0000000000A30000-0x0000000000A4C000-memory.dmp

memory/2636-275-0x0000000000A30000-0x0000000000A45000-memory.dmp

memory/2636-276-0x0000000000A30000-0x0000000000A45000-memory.dmp

memory/2636-278-0x0000000000A30000-0x0000000000A45000-memory.dmp

memory/2816-280-0x0000000002000000-0x0000000002040000-memory.dmp

memory/2636-281-0x0000000000A30000-0x0000000000A45000-memory.dmp

memory/2636-283-0x0000000000A30000-0x0000000000A45000-memory.dmp

memory/1776-305-0x000007FEF4CB0000-0x000007FEF564D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 23:02

Reported

2023-10-10 23:05

Platform

win10v2004-20230915-en

Max time kernel

121s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C119.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BBC6.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\B8D6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF33.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 5016 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 5016 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe
PID 2972 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2972 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 2972 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe
PID 316 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 316 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 316 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe
PID 316 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 316 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 316 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe
PID 1936 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
PID 2972 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
PID 2972 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5016 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
PID 5016 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
PID 5016 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe
PID 3164 wrote to memory of 3556 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe
PID 3164 wrote to memory of 3556 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe
PID 3164 wrote to memory of 3556 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe
PID 3164 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe
PID 3164 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe
PID 3164 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe
PID 3556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 3556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 3556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe
PID 3164 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBC6.bat
PID 3164 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBC6.bat
PID 3164 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBC6.bat
PID 2792 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2792 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 2792 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe
PID 3164 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE67.exe
PID 3164 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE67.exe
PID 3164 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE67.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\BB1A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF33.exe
PID 3164 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF33.exe
PID 4600 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe
PID 4600 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

C:\Users\Admin\AppData\Local\Temp\BB1A.exe

C:\Users\Admin\AppData\Local\Temp\BB1A.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\BBC6.bat

"C:\Users\Admin\AppData\Local\Temp\BBC6.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\BE67.exe

C:\Users\Admin\AppData\Local\Temp\BE67.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2376 -ip 2376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 396

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\BF33.exe

C:\Users\Admin\AppData\Local\Temp\BF33.exe

C:\Users\Admin\AppData\Local\Temp\C119.exe

C:\Users\Admin\AppData\Local\Temp\C119.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1924 -ip 1924

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD2C.tmp\BD2D.tmp\BD2E.bat C:\Users\Admin\AppData\Local\Temp\BBC6.bat"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A677.tmp\A678.tmp\A679.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1324 -ip 1324

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 580

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 200

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda15b46f8,0x7ffda15b4708,0x7ffda15b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffda15b46f8,0x7ffda15b4708,0x7ffda15b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffda15b46f8,0x7ffda15b4708,0x7ffda15b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffda15b46f8,0x7ffda15b4708,0x7ffda15b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,10943926081794034041,401860051618243617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,2867015218801859923,3995703550566121391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\602.exe

C:\Users\Admin\AppData\Local\Temp\602.exe

C:\Users\Admin\AppData\Local\Temp\117D.exe

C:\Users\Admin\AppData\Local\Temp\117D.exe

C:\Users\Admin\AppData\Local\Temp\1382.exe

C:\Users\Admin\AppData\Local\Temp\1382.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\1920.exe

C:\Users\Admin\AppData\Local\Temp\1920.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5420 -ip 5420

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 776

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5351807072578682034,8512212761129463294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
RU 5.42.92.211:80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
N/A 224.0.0.251:5353 udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

MD5 56561b0f5ca4cf290c75c3001613d3c1
SHA1 f197b60b93fad8f405e772eba2ee3243482e6502
SHA256 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68
SHA512 ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OF9Kc06.exe

MD5 56561b0f5ca4cf290c75c3001613d3c1
SHA1 f197b60b93fad8f405e772eba2ee3243482e6502
SHA256 3e7418845f87f804a908804fb10ae35a626ceb62c373e5a244a2acedb5369f68
SHA512 ccd22bed122d6701cc8418450466e17e40acc6f1a0dcfc89d03ef05795237af196a305222e440653546655807158c1a110f94e3551cea03f23ed612120d6274c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

MD5 8d23bbf024acc1276c1ec3ea52e773c8
SHA1 7c49f18707918fc09d3f3916eab3de18bde06efa
SHA256 c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c
SHA512 b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ly7DS44.exe

MD5 8d23bbf024acc1276c1ec3ea52e773c8
SHA1 7c49f18707918fc09d3f3916eab3de18bde06efa
SHA256 c944d705797b460ca2cc406f86a38c8563ad8063ea2fd4eca074db58229ef16c
SHA512 b65615e893addf4867968e53717b701f07368da2add5d6a91f580fbc8f112abd3a643b783e53d7f2b0ca0d223f4e1a08b282a09f49cf2129a0b12ca45e5339fd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bE73Jr0.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/4132-21-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4132-22-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4132-23-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4132-24-0x0000000002360000-0x000000000237E000-memory.dmp

memory/4132-25-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4132-26-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4132-27-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4132-28-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/4132-29-0x0000000002640000-0x000000000265C000-memory.dmp

memory/4132-30-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4132-31-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-32-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-44-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-42-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-40-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-38-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-46-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-36-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-34-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-48-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-50-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-52-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-54-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-56-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-58-0x0000000002640000-0x0000000002656000-memory.dmp

memory/4132-60-0x0000000074610000-0x0000000074DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ZK47eG.exe

MD5 cf7780ca38d90bab26c8e971b682017e
SHA1 2f80445a0e2ad5d75b6e4e98d7317fc321c9d5a6
SHA256 5dfc3245d7c6b13d9cae4a439731d4c1eaad5775e58aaaa9382c95baa750779c
SHA512 f7f59f64b38303c9c284dfbfefb98599f89b98128dea9baf1b9846dbfe7a0bff4c114f2430354caaa277e5cf5529f670677529aed339089047013225b64e384a

memory/4100-64-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4100-65-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3164-66-0x00000000006A0000-0x00000000006B6000-memory.dmp

memory/4100-69-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe

MD5 65b1c683fb39708c8966c14dcace52a2
SHA1 a301da3c1cbb90f0b3e1b36248b2f44407dcc54f
SHA256 5f396a11078b472ff6d16de1c55d14c1162ea316b590085d980fedfe4ad7be69
SHA512 9a07d72ae119cb5569d7a8506a56c7b94ef5cd626b3b000c5745d25e15c93d7198c8f8ad7f7952c369ad6eb2f5e978bc62f230d4f3999cf3884508821c15b5c3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4rU642qF.exe

MD5 65b1c683fb39708c8966c14dcace52a2
SHA1 a301da3c1cbb90f0b3e1b36248b2f44407dcc54f
SHA256 5f396a11078b472ff6d16de1c55d14c1162ea316b590085d980fedfe4ad7be69
SHA512 9a07d72ae119cb5569d7a8506a56c7b94ef5cd626b3b000c5745d25e15c93d7198c8f8ad7f7952c369ad6eb2f5e978bc62f230d4f3999cf3884508821c15b5c3

memory/3060-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3060-74-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe

MD5 6d7af5e06ae9f0d8c4541523fe8de68e
SHA1 a124dba85a42e681fd0aaa62c7429ebcf963204d
SHA256 ac8f2de061e32fe886300db67d970453bebab3ecf0af7dac93b9d5cb5557d1cd
SHA512 82cbe18a4fd4100e2fdbc2533b334eb3ba3c78613f113acd08687c98c99d237f5ba98e7ba5aa2f5b8dce99cc5c29ad255945879103cbbe054c7a3cf65b00c426

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5sR8au2.exe

MD5 6d7af5e06ae9f0d8c4541523fe8de68e
SHA1 a124dba85a42e681fd0aaa62c7429ebcf963204d
SHA256 ac8f2de061e32fe886300db67d970453bebab3ecf0af7dac93b9d5cb5557d1cd
SHA512 82cbe18a4fd4100e2fdbc2533b334eb3ba3c78613f113acd08687c98c99d237f5ba98e7ba5aa2f5b8dce99cc5c29ad255945879103cbbe054c7a3cf65b00c426

memory/3060-78-0x0000000007A90000-0x0000000007B22000-memory.dmp

memory/3060-83-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\6Wv57eP.exe

MD5 9d4d147233220521442956ab1e41861a
SHA1 b8377797207475fd453286d26f2d2a4bb8d83728
SHA256 c7df1e7fd95ac9e40120f055fe83ffd55998d2fb5e8406a787a3b0d2b5732e7d
SHA512 becc06ca3397f84171c7cff851ff7c643e730ca00b9097296c2bc88046bc2d76f127d2594a7caed6d98be9588f2010896ec3adb46c13bc3b7be2aaa8529ec5ec

C:\Users\Admin\AppData\Local\Temp\BB1A.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\BB1A.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\BBC6.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\BBC6.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\BE67.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\BE67.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

memory/1276-116-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1276-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1276-123-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

memory/3732-132-0x0000000000900000-0x000000000090A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

memory/1276-130-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF33.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3060-125-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF33.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\C119.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\C119.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3060-146-0x0000000005630000-0x000000000563A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

memory/3732-151-0x00007FFD9FA80000-0x00007FFDA0541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3160-161-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3160-164-0x0000000007840000-0x0000000007850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1276-165-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-167-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-168-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-170-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD2C.tmp\BD2D.tmp\BD2E.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/3060-172-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

memory/4048-177-0x0000000000350000-0x000000000038E000-memory.dmp

memory/4048-176-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/4048-178-0x00000000072C0000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A677.tmp\A678.tmp\A679.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 451fddf78747a5a4ebf64cabb4ac94e7
SHA1 6925bd970418494447d800e213bfd85368ac8dc9
SHA256 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d
SHA512 edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

memory/3732-183-0x00007FFD9FA80000-0x00007FFDA0541000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/3160-191-0x0000000008960000-0x0000000008F78000-memory.dmp

memory/3160-192-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/4048-203-0x0000000007480000-0x000000000758A000-memory.dmp

memory/3160-210-0x0000000007B60000-0x0000000007B72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/4048-212-0x0000000007400000-0x000000000743C000-memory.dmp

\??\pipe\LOCAL\crashpad_4968_BNSFBSNMMMHOUVXI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3732-216-0x00007FFD9FA80000-0x00007FFDA0541000-memory.dmp

memory/3160-220-0x0000000007840000-0x0000000007850000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f6f3e6b6d6003fd8590962b634531b3
SHA1 8e0d3a32465984e6e4ba6594c30d021253f44568
SHA256 1df38d74d0a56917b73bf5fbf04bafa065ce8c8b014ae244ed8d689e2a1e61fc
SHA512 969e2fe88c9ccdbabb8a5eebcd7f33aa03e19fd55121a3c3cdb2b0209de02f5b4152c6e2ceb7e5f7754fbe814c6fa33834566cf7abba29a382db5d5968303624

memory/3060-223-0x0000000005590000-0x00000000055DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\eb7537ab-9acb-4b89-99e8-c4b102efa1b2.tmp

MD5 ea47b779697c149e0a0f956fa3b53287
SHA1 3c9bb236c007288300377fb591be57150f8b961a
SHA256 98e109b14618576e3d28d0e58e1cd6ba72b0489470605835e57a7713d1ec3adf
SHA512 4ce6e0517cedbb908f01bbbfd842784772a54a62ddd5cbbce70e6a403442327d0037fb8ae13689b1cc44e43b1ff5179515ce693e08ed7eef21893b10488295f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 539b2eb61817a20633f325862c3aca9d
SHA1 8049861d9565235bd6330d01017c3eff575e0c51
SHA256 ed7b3b7d53650af9531c60ca6ccea8a59a1cc630256fc3d6ad2d7001f3b1108a
SHA512 ad1c8af5d121527c586916fc05a58a032e149bdddd34dc683be96d79f3d8c945084a0b6b04f9b15435bb9f28c87e77d4c4a60b69575d1d76054fd6fc5dbe7b7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 539b2eb61817a20633f325862c3aca9d
SHA1 8049861d9565235bd6330d01017c3eff575e0c51
SHA256 ed7b3b7d53650af9531c60ca6ccea8a59a1cc630256fc3d6ad2d7001f3b1108a
SHA512 ad1c8af5d121527c586916fc05a58a032e149bdddd34dc683be96d79f3d8c945084a0b6b04f9b15435bb9f28c87e77d4c4a60b69575d1d76054fd6fc5dbe7b7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ea47b779697c149e0a0f956fa3b53287
SHA1 3c9bb236c007288300377fb591be57150f8b961a
SHA256 98e109b14618576e3d28d0e58e1cd6ba72b0489470605835e57a7713d1ec3adf
SHA512 4ce6e0517cedbb908f01bbbfd842784772a54a62ddd5cbbce70e6a403442327d0037fb8ae13689b1cc44e43b1ff5179515ce693e08ed7eef21893b10488295f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 539b2eb61817a20633f325862c3aca9d
SHA1 8049861d9565235bd6330d01017c3eff575e0c51
SHA256 ed7b3b7d53650af9531c60ca6ccea8a59a1cc630256fc3d6ad2d7001f3b1108a
SHA512 ad1c8af5d121527c586916fc05a58a032e149bdddd34dc683be96d79f3d8c945084a0b6b04f9b15435bb9f28c87e77d4c4a60b69575d1d76054fd6fc5dbe7b7f

memory/4048-286-0x00000000741B0000-0x0000000074960000-memory.dmp

\??\pipe\LOCAL\crashpad_4672_ILTTKOFXANYZVQAR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_3128_RAKUFLACDEPXEINX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4048-293-0x00000000072C0000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\602.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\602.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/5340-306-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5340-307-0x0000000000BE0000-0x0000000001B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\117D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 80e251c43c5e1579668496d23e67b422
SHA1 db70b8d507f9484238416499b13c1613b146c923
SHA256 67e8209fcb656b2d984a1cbd5da7f84045002311d2d8b6fa0fef5c82939aeaaa
SHA512 1b8fb17052a43308b7721b9cced71f9cee8938303c75918cf9355f014afcecc705b631e61f065de1950546ecdfe24e8a7b3a0b9829eab35e2f2288161810acef

memory/5420-321-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5420-322-0x0000000001FE0000-0x000000000203A000-memory.dmp

memory/5496-329-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5496-328-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/5496-339-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5420-335-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5676-343-0x00000000006D0000-0x00000000006EE000-memory.dmp

memory/5676-344-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3afb732002b91f4b666fd5232c15e676
SHA1 5c38885be9694248ad3b2534a96f1f092e44d55c
SHA256 a2ad7f18d620899eb8efecccc4d15d55f32b9ea27dabb3bdffffad1f451a5674
SHA512 708b55486e45ead61020ddebade8d5bce9b536155c8ef7f69008f8f86aaefb5a0be2e438cfa0baf7937eaefda22cac611a6f19b89689d396e9417efcf2c2d37c

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/6120-371-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5868-372-0x00000000024E0000-0x00000000025E0000-memory.dmp

memory/6120-369-0x0000000000600000-0x0000000000B16000-memory.dmp

memory/5868-373-0x00000000024B0000-0x00000000024B9000-memory.dmp

memory/5340-374-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

memory/1276-383-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5676-376-0x0000000005020000-0x0000000005030000-memory.dmp

memory/1276-375-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5420-384-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5980-385-0x00000000043D0000-0x00000000047CF000-memory.dmp

memory/5420-386-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5980-389-0x00000000047D0000-0x00000000050BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/6120-391-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/5496-395-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/5496-394-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5676-396-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/5980-398-0x0000000000400000-0x000000000266D000-memory.dmp

memory/6120-404-0x00000000053B0000-0x00000000053B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ff68de977278013cad8edf52642c9b06
SHA1 cb84c9923b752791a5b73a2f52b6c4de5682d31a
SHA256 00fe5259db353fbd7f4e6e076f2ea41e942f0c0559668aa4a72cf8c34cd9d828
SHA512 78e1478d2b9d03468534c1ee5c7e3df2facf68597629b15582fc92b71d524f27733f8d2526f0fee049a3df37436930aede89cb47e5e0b68d52d1ed3cc14e0063

memory/3164-459-0x00000000082D0000-0x00000000082E6000-memory.dmp

memory/1276-463-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5980-471-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 79613a9e10e5a0cf4c8e82fc27acf9e5
SHA1 7c37138f4bdd28f4f93884763a19ef3d87830a44
SHA256 292460269ffee3ffa2b0c7eba36cc7d366745351631c75d566305b6df1cd7b24
SHA512 22ed22f9a8747be24e1354ec3029a9c47a798e75811eb397313965b04a0f0973e25e1bac14e65a68a76e5fd5c0ffc5185d2c71010fbb261a764a7d48137a4862

memory/4796-520-0x00007FF7B6D00000-0x00007FF7B72A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a6d42.TMP

MD5 639716d1ce246063dcff1779dacdb142
SHA1 711911afa77c03a8c47f522aeaf42dbe462be02e
SHA256 314fbcae5f0278f2310ef54aafb2dc2029c4c91b5730334da28ca93446b62d57
SHA512 6a5343976d023269abc05fa9c4097fb5f50e3400d9069a1ff919aa0f9ae745dc9884484a5f50ad24bb0b2144c369f80b3d02fd5d809fef265bd377e3ea3be968

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f1b95685d31124005b0da06c1a8f1c96
SHA1 df3bb910ab76f8c0618d84defe4fe3a6331d231b
SHA256 de1fdf03c2374789389fc55f65cd2c7d6bb3a1e4d34e0847c3adec2f00a59554
SHA512 86570b4f8e484f6dc0b8a0bfc8b4a172008bb56f8b9bfc6490a6d6b08cd39c852a65dd44996a52faa1c7f995323e44ba979dc2bae15e9b1f6bfa5b73d170b390

memory/6120-622-0x0000000005860000-0x0000000005875000-memory.dmp

memory/6120-623-0x0000000005860000-0x0000000005875000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21iupvgp.gnd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40889c6b66db3b52074edf148355ac68
SHA1 7c4f3651f34bdee7901c4ee2aadbe62e1c9dbd8e
SHA256 04e600ee945885c3531584e3b5e8951f329c84836dc363e4dd04ce4d813796f0
SHA512 1c435ae9cb27da1e5cdd8159ad5751095b1f24616e4d129766aba932cb7a75ebc61336064a6599c708c9c99788d539975b709d11fd9ebe19eaff6979a3297b5f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4