Malware Analysis Report

2025-01-23 09:01

Sample ID 231010-yvd1zaag93
Target fd2fde4b51e79039d00b43f7cd00b31f.exe
SHA256 1055e85f63c4918500650bf56924ee225d9d62db0c778ea8f606f844e6d13bf9
Tags
evasion persistence trojan amadey dcrat healer redline smokeloader lutyr magia backdoor dropper infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1055e85f63c4918500650bf56924ee225d9d62db0c778ea8f606f844e6d13bf9

Threat Level: Known bad

The file fd2fde4b51e79039d00b43f7cd00b31f.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat healer redline smokeloader lutyr magia backdoor dropper infostealer rat

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

SmokeLoader

DcRat

Amadey

Healer

Detects Healer an antivirus disabler dropper

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:06

Reported

2023-10-10 20:08

Platform

win7-20230831-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 1396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2128 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 2140 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 284

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2692-40-0x0000000000590000-0x00000000005AE000-memory.dmp

memory/2692-41-0x00000000005D0000-0x00000000005EC000-memory.dmp

memory/2692-42-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-43-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-45-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-47-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-49-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-51-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-53-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-55-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-57-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-59-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-61-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-63-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-65-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-67-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/2692-69-0x00000000005D0000-0x00000000005E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

memory/2488-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-84-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2488-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-87-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-90-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

memory/2488-95-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:06

Reported

2023-10-10 20:10

Platform

win10v2004-20230915-en

Max time kernel

167s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F721.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D7B0.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F9D1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D7B0.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PJ9VB9fv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IS2mS9Rs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ov99zg1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F9D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Zk984aX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3312.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C90A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E127.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ddvtvbj N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F721.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C7C0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PJ9VB9fv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IS2mS9Rs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F721.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 4136 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 4136 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe
PID 4352 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 4352 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 4352 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe
PID 1028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 1028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 1028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe
PID 4628 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 4628 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 4628 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe
PID 4628 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 4628 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 4628 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1028 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
PID 1028 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
PID 1028 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe
PID 1672 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1672 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1672 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1672 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1672 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1672 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
PID 4352 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
PID 4352 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2996 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4136 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
PID 4136 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
PID 4136 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe
PID 4780 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe
PID 3120 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe
PID 3120 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe
PID 212 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe
PID 212 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe
PID 212 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\C7C0.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe
PID 3120 wrote to memory of 4316 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe
PID 3120 wrote to memory of 4316 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe
PID 3120 wrote to memory of 4316 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe
PID 2388 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe
PID 2388 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe
PID 2388 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe
PID 4316 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4316 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe

"C:\Users\Admin\AppData\Local\Temp\fd2fde4b51e79039d00b43f7cd00b31f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3360 -ip 3360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1672 -ip 1672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9F7.tmp\A9F8.tmp\A9F9.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe"

C:\Users\Admin\AppData\Local\Temp\C7C0.exe

C:\Users\Admin\AppData\Local\Temp\C7C0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4316 -ip 4316

C:\Users\Admin\AppData\Local\Temp\D7B0.bat

"C:\Users\Admin\AppData\Local\Temp\D7B0.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PJ9VB9fv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PJ9VB9fv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 388

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DFBC.tmp\DFBD.tmp\DFBE.bat C:\Users\Admin\AppData\Local\Temp\D7B0.bat"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IS2mS9Rs.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IS2mS9Rs.exe

C:\Users\Admin\AppData\Local\Temp\E156.exe

C:\Users\Admin\AppData\Local\Temp\E156.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1656 -ip 1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\F721.exe

C:\Users\Admin\AppData\Local\Temp\F721.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 388

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ov99zg1.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ov99zg1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe73a546f8,0x7ffe73a54708,0x7ffe73a54718

C:\Users\Admin\AppData\Local\Temp\F9D1.exe

C:\Users\Admin\AppData\Local\Temp\F9D1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffe73a546f8,0x7ffe73a54708,0x7ffe73a54718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe73a546f8,0x7ffe73a54708,0x7ffe73a54718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4912 -ip 4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe73a546f8,0x7ffe73a54708,0x7ffe73a54718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3457594786716871093,797338356687871618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,17364492967293443303,9665243193902436964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1556,17364492967293443303,9665243193902436964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,13248724105942639123,18036861538726391374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,13248724105942639123,18036861538726391374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11346153850629866202,5934924018015821008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Zk984aX.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Zk984aX.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3312.exe

C:\Users\Admin\AppData\Local\Temp\3312.exe

C:\Users\Admin\AppData\Local\Temp\C90A.exe

C:\Users\Admin\AppData\Local\Temp\C90A.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\E127.exe

C:\Users\Admin\AppData\Local\Temp\E127.exe

C:\Users\Admin\AppData\Roaming\ddvtvbj

C:\Users\Admin\AppData\Roaming\ddvtvbj

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 0.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tE5gS63.exe

MD5 e3f20ad259a862d3cda234b5b25db716
SHA1 da45c1bc0344ee184f7f2f3d6b3a4b0d7cda2e0b
SHA256 4f82b4eaa9ef7dbc28d2c3a1c1b43bfeddfc478e7e8922b680df227b7cbef2af
SHA512 d562a680571d08811c42ed1905dc0524d728428ae9a80d465b6d53a57a6de5dd0522b53da39e3a769ee60faabecc941ce04c484515d604b6e3a4b298e8c9ff4c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG5ka69.exe

MD5 cc353418f49a51a7bef2afef59ce5071
SHA1 8a48f140bcac612e7701d1fb4f32f24b040fb986
SHA256 e525e5cc3fff370219746ffdea9b7e95157646810707421dc557c940a20cffbd
SHA512 d67c43d9805ac0eff86fc423cd52089e500f633515aa6560cbb86a795737f875c1e4c8590bd97899a40c0f756333f16b651a1bd1da2aaa3053bc59aaf534e9b4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sq6CQ71.exe

MD5 fbfba8262cb0687c1616c345893fd7e1
SHA1 18ec2d75f3eaacd497f05d21be556c0ecf760e4c
SHA256 853f57334d5ae888b689559ff4617207736181e8d057985fd02344f335e49f08
SHA512 f760a79089e3ed9162035ccf6e9cb70922fefac79b1418bf71395e943a73da955a0bdd52f2c1d68d2c9cc7bcdcecc8cec23e1a640f875b2d30b26ae3d0da906b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zg68IH7.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/4568-28-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4568-29-0x0000000002460000-0x000000000247E000-memory.dmp

memory/4568-30-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/4568-31-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/4568-32-0x0000000004A60000-0x0000000005004000-memory.dmp

memory/4568-33-0x0000000004990000-0x00000000049AC000-memory.dmp

memory/4568-34-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-35-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-37-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-39-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-41-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-43-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-45-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-47-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-49-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-51-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-53-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-55-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-57-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-59-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-61-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/4568-62-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4568-63-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/4568-64-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/4568-66-0x0000000074570000-0x0000000074D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy4755.exe

MD5 9f7da01ebd8a0ab0d1711de39405883d
SHA1 e92b5303fcae4341f66b365e9df00a191e82c59b
SHA256 9a39312d99741edf3f4a575151ee4d46731bb84baba1ed44fd2a00952d1f01d5
SHA512 62ce69db5827f6a88e9bede29431ab1ab4dc1418fbd4a22c6fdc778c9fc1b1223929964d5c65011f288ffb7271a80591f06e4c0c398ce3c98e163eac904e9200

memory/5096-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5096-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5096-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5096-74-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

MD5 b5480b46f95352f9f130d44d3b4edabd
SHA1 71dada7841a99782f529de686d81befbf9ee2542
SHA256 3639bbe23698326dcc7daeec6cd16215f1a996782f4ea0eb3359a2b2e80eca8d
SHA512 09854e9b8bf6be48fc7e1effcc472c9aa60bb9763ceeda5d12eff65b4d23cd30dfbf5da632539c241988d3eb3333afed34bef1868cd28f89b5654fc8d8c2dcdb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uw30ar.exe

MD5 b5480b46f95352f9f130d44d3b4edabd
SHA1 71dada7841a99782f529de686d81befbf9ee2542
SHA256 3639bbe23698326dcc7daeec6cd16215f1a996782f4ea0eb3359a2b2e80eca8d
SHA512 09854e9b8bf6be48fc7e1effcc472c9aa60bb9763ceeda5d12eff65b4d23cd30dfbf5da632539c241988d3eb3333afed34bef1868cd28f89b5654fc8d8c2dcdb

memory/4232-78-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4232-79-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

MD5 52d8b3c8ead2029782a9b47b0693ffda
SHA1 a23dd39dc4104549bf5b9a5a30a680dd862db336
SHA256 05c582979f6d8f491ed9999a0db07694a659c4c803c3c33623267951dacfe83e
SHA512 04e259dc7f12f40921181091bc2c8ebe9c07fa16b7f364a7c478acbe3e71386c91d8ec8b07f52693996b370aa92570e3ce7e76bcc7640813aa13b2f46d679128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Bh039GC.exe

MD5 52d8b3c8ead2029782a9b47b0693ffda
SHA1 a23dd39dc4104549bf5b9a5a30a680dd862db336
SHA256 05c582979f6d8f491ed9999a0db07694a659c4c803c3c33623267951dacfe83e
SHA512 04e259dc7f12f40921181091bc2c8ebe9c07fa16b7f364a7c478acbe3e71386c91d8ec8b07f52693996b370aa92570e3ce7e76bcc7640813aa13b2f46d679128

memory/1684-83-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3120-84-0x0000000003370000-0x0000000003386000-memory.dmp

memory/4232-86-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1684-88-0x0000000074150000-0x0000000074900000-memory.dmp

memory/1684-89-0x0000000007370000-0x0000000007402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

MD5 a5814987c9f2408582d895aedd6f3739
SHA1 c1ed94ac3139b6e9e2b5a905d44466127dd9e378
SHA256 651b8fceaffac36afbba4311f95b7594bc8d9f6058a622fc74dea8302a10060b
SHA512 a6f7bd58301e8ce5dcfb1ba800acc4a2e167d81450aa1e03ed3334f0a8922dfd68c43aaf57a140275b4cd3dafe58f2bfc619dcd6d8ec5626c21503d55089a79f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5hl0oq6.exe

MD5 a5814987c9f2408582d895aedd6f3739
SHA1 c1ed94ac3139b6e9e2b5a905d44466127dd9e378
SHA256 651b8fceaffac36afbba4311f95b7594bc8d9f6058a622fc74dea8302a10060b
SHA512 a6f7bd58301e8ce5dcfb1ba800acc4a2e167d81450aa1e03ed3334f0a8922dfd68c43aaf57a140275b4cd3dafe58f2bfc619dcd6d8ec5626c21503d55089a79f

memory/1684-93-0x0000000074150000-0x0000000074900000-memory.dmp

memory/1684-95-0x0000000007520000-0x0000000007530000-memory.dmp

memory/1684-96-0x0000000007320000-0x000000000732A000-memory.dmp

memory/1684-100-0x0000000008450000-0x0000000008A68000-memory.dmp

memory/1684-101-0x0000000007660000-0x000000000776A000-memory.dmp

memory/1684-102-0x0000000007590000-0x00000000075A2000-memory.dmp

memory/3120-103-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-104-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-105-0x0000000008E60000-0x0000000008E70000-memory.dmp

memory/3120-106-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/1684-108-0x00000000075F0000-0x000000000762C000-memory.dmp

memory/3120-109-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-110-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/1684-107-0x0000000007520000-0x0000000007530000-memory.dmp

memory/3120-111-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-112-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-114-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-115-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-116-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-117-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-118-0x0000000008FE0000-0x0000000008FF0000-memory.dmp

memory/3120-119-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-121-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-120-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-123-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-126-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-131-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-132-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/1684-130-0x0000000007770000-0x00000000077BC000-memory.dmp

memory/3120-135-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-129-0x00000000034B0000-0x00000000034C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7C0.exe

MD5 1ad41f512203c8cf7b4729e9e7cf10ad
SHA1 3168c9869caa75a3ff628dce86e704430fe0c713
SHA256 ae7aaa89975d36772953cb0cd969cde95f2dfe65c2b452e68392c476b760289c
SHA512 308944ed8a1e2bc2760cf73f197932b676d70fdca3cd5058e68d0ece4ff6c711b8a6d218f63d6045e9902d652b90c339a8176a0545bd223afd2be4a664811d6d

memory/3120-139-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-146-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-148-0x00000000034B0000-0x00000000034C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe

MD5 41ad3e424d1822ad2ce6281a5d0f21ac
SHA1 c07adbb46c1c56ce8560d80464a6481c919e96ff
SHA256 561651bc121ea5aa347f1fc29e03d191bdf2dc3dadb5295d9a6d9fd51674320d
SHA512 91888abb1b78a6fcc6c4552e868026bff759fd8f61390b7d8f2d1d351651eea55f18ec543750ba2ddcbb89ae69529ea097d45c2e1123ec62bee1545f461ec0fc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\6kY38oV.exe

MD5 7789715f50432de248b0604354e54b03
SHA1 da8085ad15490b649b042829247c5b6ff0f73c54
SHA256 0937cb127717309c200854b9bcc5ecc154ba4223d270226d60a248f1cf0453bf
SHA512 6661abe47b2a2a5ac8e0dfb799a479815f62cef7b1343d72f8ffd6a33190e1deaf5fb30eec88d14677cbe85daad27d6fa29da8059ac9295d71447fed20f5e138

memory/3120-138-0x00000000034B0000-0x00000000034C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7C0.exe

MD5 1ad41f512203c8cf7b4729e9e7cf10ad
SHA1 3168c9869caa75a3ff628dce86e704430fe0c713
SHA256 ae7aaa89975d36772953cb0cd969cde95f2dfe65c2b452e68392c476b760289c
SHA512 308944ed8a1e2bc2760cf73f197932b676d70fdca3cd5058e68d0ece4ff6c711b8a6d218f63d6045e9902d652b90c339a8176a0545bd223afd2be4a664811d6d

memory/3120-128-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3120-149-0x0000000008FE0000-0x0000000008FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jB0xw0Vd.exe

MD5 41ad3e424d1822ad2ce6281a5d0f21ac
SHA1 c07adbb46c1c56ce8560d80464a6481c919e96ff
SHA256 561651bc121ea5aa347f1fc29e03d191bdf2dc3dadb5295d9a6d9fd51674320d
SHA512 91888abb1b78a6fcc6c4552e868026bff759fd8f61390b7d8f2d1d351651eea55f18ec543750ba2ddcbb89ae69529ea097d45c2e1123ec62bee1545f461ec0fc

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

MD5 fae7262abd1ec7a8cc8c733bc11ede7c
SHA1 64c197c8c8db30b547463abf726679573c7dc1a4
SHA256 2f3228dfa4c99b6f28a2cbfddac0dca494eff7cf2eb1e3ce61ecc5ccb1bd431d
SHA512 72f132d4a25b5068102686178866039f21f31f1ff20b1346f4d2d91c7c5180378e5de9151d960cc2ea99b16fba3a6645538e89480651c4118a54ed025e21e2dc

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

MD5 fae7262abd1ec7a8cc8c733bc11ede7c
SHA1 64c197c8c8db30b547463abf726679573c7dc1a4
SHA256 2f3228dfa4c99b6f28a2cbfddac0dca494eff7cf2eb1e3ce61ecc5ccb1bd431d
SHA512 72f132d4a25b5068102686178866039f21f31f1ff20b1346f4d2d91c7c5180378e5de9151d960cc2ea99b16fba3a6645538e89480651c4118a54ed025e21e2dc

memory/3120-159-0x0000000008FE0000-0x0000000008FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A9F7.tmp\A9F8.tmp\A9F9.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe

MD5 792c51cafc2e42638169ae437c51dbce
SHA1 d840b34940eee49de8a057c08ba38ade5943fcc2
SHA256 b6beca575c96a798af2400521bdffc14c6316a9573830a1621c4ffc82e4d0b4b
SHA512 7b01ea79432aa63e584d91d7d835ce9dec185ca008b5835ebfd328ca43b5f06d39c970e5acc0e0a546c67a2cb70478a4495d34d834f6e6c01e11e243cf7f9d2c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ay3zl0rC.exe

MD5 792c51cafc2e42638169ae437c51dbce
SHA1 d840b34940eee49de8a057c08ba38ade5943fcc2
SHA256 b6beca575c96a798af2400521bdffc14c6316a9573830a1621c4ffc82e4d0b4b
SHA512 7b01ea79432aa63e584d91d7d835ce9dec185ca008b5835ebfd328ca43b5f06d39c970e5acc0e0a546c67a2cb70478a4495d34d834f6e6c01e11e243cf7f9d2c

memory/828-167-0x0000000000400000-0x0000000000433000-memory.dmp

memory/828-168-0x0000000000400000-0x0000000000433000-memory.dmp

memory/828-173-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D7B0.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\D7B0.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PJ9VB9fv.exe

MD5 e74f5f97af168c27ab28c974e21e1338
SHA1 bda37bf06f8ce083fc6eba5657612bc5e7a0105f
SHA256 ffad35238663e36ce392bea5feb58722925b35f45d1e4ee93a5710bd6a142a52
SHA512 068a1efb1d7a67457f8b8dda4484030a4cecaad3c9d75cccaed63c765f5b6ecefa231810de0e21030f11e189831c6d83c75d57f7f5a8b9ec39c0b1e9767cd94d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PJ9VB9fv.exe

MD5 e74f5f97af168c27ab28c974e21e1338
SHA1 bda37bf06f8ce083fc6eba5657612bc5e7a0105f
SHA256 ffad35238663e36ce392bea5feb58722925b35f45d1e4ee93a5710bd6a142a52
SHA512 068a1efb1d7a67457f8b8dda4484030a4cecaad3c9d75cccaed63c765f5b6ecefa231810de0e21030f11e189831c6d83c75d57f7f5a8b9ec39c0b1e9767cd94d

C:\Users\Admin\AppData\Local\Temp\DFBC.tmp\DFBD.tmp\DFBE.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/3120-187-0x0000000008FF0000-0x0000000009000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IS2mS9Rs.exe

MD5 8ddc2fe9e64c2a286ebb17a475fc10de
SHA1 c2281a91a5050fb93bf2a9056ce26ef432004414
SHA256 ba1169dca87c6021ced4225213d5c875542309cf0d3578c476a1d14822b6e58c
SHA512 7328512af1d30ec9417bd4b35927f249ef1d702affee8996081e3ed94649c1820066041e2828b8071e89755433ba167ff64f454d3299efb3981c682d55364d91

C:\Users\Admin\AppData\Local\Temp\E156.exe

MD5 6a49c9777bb5ef386062ccecfd2f1fed
SHA1 8b870c82939d263d7c1161cfb7470290e0eacbbc
SHA256 d6f0cb60335923fe5bad5cd16d95bb7d43452313287ff7ee0cadaf42c6aa887f
SHA512 53fab2da306af9d708d0198df900fe46c7af47539f96564d6539e313ccdaf2757d5d2925df88b46c86ba1d7c61ea5e0c81822b23fa40ce693e22d1ab10230fcc

C:\Users\Admin\AppData\Local\Temp\E156.exe

MD5 6a49c9777bb5ef386062ccecfd2f1fed
SHA1 8b870c82939d263d7c1161cfb7470290e0eacbbc
SHA256 d6f0cb60335923fe5bad5cd16d95bb7d43452313287ff7ee0cadaf42c6aa887f
SHA512 53fab2da306af9d708d0198df900fe46c7af47539f96564d6539e313ccdaf2757d5d2925df88b46c86ba1d7c61ea5e0c81822b23fa40ce693e22d1ab10230fcc

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IS2mS9Rs.exe

MD5 8ddc2fe9e64c2a286ebb17a475fc10de
SHA1 c2281a91a5050fb93bf2a9056ce26ef432004414
SHA256 ba1169dca87c6021ced4225213d5c875542309cf0d3578c476a1d14822b6e58c
SHA512 7328512af1d30ec9417bd4b35927f249ef1d702affee8996081e3ed94649c1820066041e2828b8071e89755433ba167ff64f454d3299efb3981c682d55364d91

memory/4284-198-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F721.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\F721.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3140-204-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ov99zg1.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ov99zg1.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

C:\Users\Admin\AppData\Local\Temp\F9D1.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F9D1.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3140-214-0x00007FFE75E40000-0x00007FFE76901000-memory.dmp

memory/4284-215-0x00000000079C0000-0x00000000079D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c126b33f65b7fc4ece66e42d6802b02e
SHA1 2a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256 ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512 eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

memory/828-226-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/1420-235-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/1420-244-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/1420-241-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_2480_ALHKAQSYTIASPKYO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_3008_IYJAJQFBZBPUFUPR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5486acda839c3b17e5aee9a107b7803f
SHA1 8a38f08b9de1d8291f390acc950464e4a61eb421
SHA256 ddd8d403aa8d66e83062265f4ba199f4c332830f971ab1eae559506ee7d4a587
SHA512 19ecb9bd9bd94b36596e90cb0ef70dd4578eeb737fb17ced1879c2310beca65d15bffd6e93e10fec710ece5ea3818eb3db46c5d0d2cca064348693061ea181d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 488f6033561c43add829731c7f3a0552
SHA1 128247066a313d6d13e9316401310df6ca56bf91
SHA256 d91b286e35f34b13fc6b73843b093ba32ec47850baaf7d77a369e660f629ce25
SHA512 c32f47dae422a8e2686df62c6b7bccb1f26137869f9edd2fefc67dbf32ed3af998d692c1024d80e08c7860929dcc4ad6ba0a73dca36909d9ac460195579efbbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 488f6033561c43add829731c7f3a0552
SHA1 128247066a313d6d13e9316401310df6ca56bf91
SHA256 d91b286e35f34b13fc6b73843b093ba32ec47850baaf7d77a369e660f629ce25
SHA512 c32f47dae422a8e2686df62c6b7bccb1f26137869f9edd2fefc67dbf32ed3af998d692c1024d80e08c7860929dcc4ad6ba0a73dca36909d9ac460195579efbbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2a4cd9f8-bbc2-408c-a4f1-635655b076d2.tmp

MD5 9972e987535d150036dc5afff84dcd80
SHA1 e8e52778a4dfb3bfd929f0032a90ff7d7d1fa429
SHA256 e630085c2b71fd9fdf08f8c573bf5493bedb13b25e4a1aa01322dfbe322a0a3e
SHA512 79a334a4ef73f748a29e2bc900afdebe926c9f6d9c3485d34e36bc9c77c8c239f355b695044032ff5bf036b0eebbd4482ed364d766297271cfc24b3dde16bd40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3c03cbe7a72d0722b67de397c93a7f88
SHA1 5d1a594d354e574a3e86ae7f117b72e620106d57
SHA256 b1485c6789e04b25abc7d2572d1d6124a8385104673f863941c5adefe28f2843
SHA512 7031cddfa59bd8d106af990567a9faf70b17942455c151f77b0c80709a7206e52f38a6cfc54223a8384414f8a105558b9c74628cdc83a91929b2183f436fafed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9972e987535d150036dc5afff84dcd80
SHA1 e8e52778a4dfb3bfd929f0032a90ff7d7d1fa429
SHA256 e630085c2b71fd9fdf08f8c573bf5493bedb13b25e4a1aa01322dfbe322a0a3e
SHA512 79a334a4ef73f748a29e2bc900afdebe926c9f6d9c3485d34e36bc9c77c8c239f355b695044032ff5bf036b0eebbd4482ed364d766297271cfc24b3dde16bd40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5486acda839c3b17e5aee9a107b7803f
SHA1 8a38f08b9de1d8291f390acc950464e4a61eb421
SHA256 ddd8d403aa8d66e83062265f4ba199f4c332830f971ab1eae559506ee7d4a587
SHA512 19ecb9bd9bd94b36596e90cb0ef70dd4578eeb737fb17ced1879c2310beca65d15bffd6e93e10fec710ece5ea3818eb3db46c5d0d2cca064348693061ea181d9

memory/3140-324-0x00007FFE75E40000-0x00007FFE76901000-memory.dmp

memory/4284-333-0x0000000074150000-0x0000000074900000-memory.dmp

memory/4284-335-0x00000000079C0000-0x00000000079D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fadbc4df3415c8d2a673aeb27bc16135
SHA1 9856d6483e53f945f28f16612d7623718caed217
SHA256 0d180406d308295d1073dd1c59a8609e02c4574c7d05555c526bd2714d008d91
SHA512 24c10f554f0808e93d042ea9b6248c110e6117be0f9105e72d910143fbe1b6f63d3af257779e7d8b2b556ef505aab11c4b080ffbf9b1bb4dd45ad1a521bd7009

memory/5652-373-0x00000000005F0000-0x000000000062E000-memory.dmp

memory/5652-377-0x0000000074150000-0x0000000074900000-memory.dmp

memory/5652-381-0x0000000007540000-0x0000000007550000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f24cc49aecb97ebad0c48b41e5adf687
SHA1 4121dbfa65a2f7da9fb9022d3f696d5f6fc55ab8
SHA256 7780142cc1d55c5bf2b72cbd2825f2c4013e9820e359d86ca33cf3e49059e53d
SHA512 8b7e459407eeea9a8b4da3536d10c7d42b95a5b1dfb44226809f44a8601a104f4ced4954d445e0285055c28ea8f279779b4bab48ce533c4effaa2cb5d5587e7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5149b8b7fa1fdd0e1e6d05ae4d598fb9
SHA1 10e57ae6c037e664df15ef638ec1b63a4ce584d6
SHA256 1a154f261541b3de861d68582bdcae814d303db18ee63b62a3781116b73a315f
SHA512 f81c8b73e91f855dac51bf4c4203190541a41bea64e29c7df20d305b27c2e93b9e2aff1dd713a55059668afb900aeaf382b262f7134e65260a554b3c625f6b57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2e1e34882c3f52ea9d2e2ea31211f745
SHA1 fc77ed53f57e1c211889aa5a912855759f7efb9f
SHA256 6ae50922e45a60ce78006c3063d4997316ae0a4e1cb728869ebcd6bb3039df24
SHA512 177eb0236afa9143a7c2cd6afc15cc5c26f7193563514e21c0bbbd446312c52be94c6063e50ecceae296ec80001bf84a99fcef0fe5fcbae1505db3e36a097e2d

memory/1980-415-0x0000000074150000-0x0000000074900000-memory.dmp

memory/1980-416-0x0000000000630000-0x000000000155A000-memory.dmp

memory/5652-429-0x0000000007540000-0x0000000007550000-memory.dmp

memory/1980-438-0x0000000074150000-0x0000000074900000-memory.dmp

memory/3544-444-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3544-445-0x00000000005E0000-0x000000000063A000-memory.dmp

memory/3544-449-0x0000000074150000-0x0000000074900000-memory.dmp

memory/3544-450-0x0000000007750000-0x0000000007760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3544-463-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3544-464-0x0000000074150000-0x0000000074900000-memory.dmp