Malware Analysis Report

2025-01-23 11:00

Sample ID 231010-zb71dabe92
Target SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe
SHA256 7944f0abb4c869b6d23312ac230d900720e5fc2461b3dfe0c18f7d5905b09d7f
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7944f0abb4c869b6d23312ac230d900720e5fc2461b3dfe0c18f7d5905b09d7f

Threat Level: Known bad

The file SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan lutyr magia

Detected google phishing page

SectopRAT payload

Healer

RedLine

SectopRAT

Glupteba

RedLine payload

Amadey

Modifies Windows Defender Real-time Protection settings

DcRat

Detects Healer an antivirus disabler dropper

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Glupteba payload

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Windows security modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:33

Reported

2023-10-10 20:50

Platform

win7-20230831-en

Max time kernel

120s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4148.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CDD.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4148.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CFFC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c30000000002000000000010660000000100002000000074e2ee5af276c38a4fdd68a4f6cee9f52f096daa1cbbd0c56000c3392c10862f000000000e8000000002000020000000e060d1b89c08deedcb945e7a4c98a6ed07c2106cf88372855700bf43e46ff88a200000002566a372147094a1568c2a255223d4be06e1b1f27012c1080118a7adf9e9f99940000000dd765de15d6a8628df2477a96c08e4b8f732eae58be6de56f19e5e84f051d88ded2fa4b9aedaaf28d4b4bbc398881480d2f06188720340b59fb37ff386c69c57 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000d5d95e51459831b9e5cc4046cf526716b9db4104ab4ca526122888dadb7d863a000000000e8000000002000020000000a9b96ec6c7167d1aa4924a9783257462fa69b9c7a3ad2875779f014d616fe73b9000000077a10793ebf1098752e7c55137081d223da69a4232fafd6e7cacccc32d03183d8f999e189d3ed8a7cd586125a78a1b75d0df56be481a51d9101d3e98b0eb5bde47e9f9cf8e6ee8d84a9fedcd4e826c6d13f653072a999fed44f96a73831f5f7c8a9b821254beb76f0d13a6703afaa7214e1c4c1e6b4b25ecc959076cec087d96493eda0049d0c7de7516b3f0152366e3400000007350b992c1a85429f4cab19fd3a692ad8f73937ee4d4ce48431697e9436450079c660fe9508e9d9fd185eaacf31ce3c5b010c338729f588947296c2537530225 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d87c52bbfbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403132824" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75D7F611-67AE-11EE-AE69-EEDB236BE57B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\9C29.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\9C29.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\94E8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C29.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4148.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8DC6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2404 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\SysWOW64\WerFault.exe
PID 2404 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\SysWOW64\WerFault.exe
PID 2404 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\SysWOW64\WerFault.exe
PID 2404 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\SysWOW64\WerFault.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe
PID 1184 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe
PID 1184 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe
PID 1184 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe
PID 1184 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe
PID 2252 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\D1E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 1184 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\D625.bat
PID 1184 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\D625.bat
PID 1184 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\D625.bat
PID 1184 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\D625.bat
PID 2500 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D625.bat C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D625.bat C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D625.bat C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D625.bat C:\Windows\system32\cmd.exe
PID 2516 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2704 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\CFFC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2540 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2768 wrote to memory of 1300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 68

C:\Users\Admin\AppData\Local\Temp\CFFC.exe

C:\Users\Admin\AppData\Local\Temp\CFFC.exe

C:\Users\Admin\AppData\Local\Temp\D1E0.exe

C:\Users\Admin\AppData\Local\Temp\D1E0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 132

C:\Users\Admin\AppData\Local\Temp\D625.bat

"C:\Users\Admin\AppData\Local\Temp\D625.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE36.tmp\EE37.tmp\EE38.bat C:\Users\Admin\AppData\Local\Temp\D625.bat"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 280

C:\Users\Admin\AppData\Local\Temp\3A36.exe

C:\Users\Admin\AppData\Local\Temp\3A36.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 132

C:\Users\Admin\AppData\Local\Temp\4148.exe

C:\Users\Admin\AppData\Local\Temp\4148.exe

C:\Users\Admin\AppData\Local\Temp\439A.exe

C:\Users\Admin\AppData\Local\Temp\439A.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\6CDD.exe

C:\Users\Admin\AppData\Local\Temp\6CDD.exe

C:\Users\Admin\AppData\Local\Temp\8DC6.exe

C:\Users\Admin\AppData\Local\Temp\8DC6.exe

C:\Users\Admin\AppData\Local\Temp\94E8.exe

C:\Users\Admin\AppData\Local\Temp\94E8.exe

C:\Users\Admin\AppData\Local\Temp\9C29.exe

C:\Users\Admin\AppData\Local\Temp\9C29.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DF28BE56-2213-4865-9964-2E2BB4C2FA37} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\gadaurw

C:\Users\Admin\AppData\Roaming\gadaurw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010205024.log C:\Windows\Logs\CBS\CbsPersist_20231010205024.cab

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 www.microsoft.com udp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 pastebin.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp

Files

memory/2652-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2652-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2652-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2652-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2652-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-5-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/2652-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CFFC.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\CFFC.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\D1E0.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\D1E0.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\D1E0.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\D1E0.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\D1E0.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\CFFC.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\D625.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\D625.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\EE36.tmp\EE37.tmp\EE38.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\Cab22.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8BT23REO\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pucq4vc\imagestore.dat

MD5 0c9fd7c36eb4b9f624a5bff198046d30
SHA1 e1be52aa16e2205d3029eefa8178083004a7dde7
SHA256 6971129284e2ef51b2a2ff860f8c7982974adc065ecd94c1d4e3c218be87e2b9
SHA512 c30e13801abf5f749334e1baa8c477c9ad699a091377f94e7f9c618f3eb81748d5abdfb0b747ddfaae0d42ffe1c2f6d77bb1a2d2c7c7b6cfc2d60c21d16c3c35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b26a1f3b0443a73f5cf7867d47b2948
SHA1 0b5c0b270addceff93bfeb7ce6b19ccd4e5f0a44
SHA256 3e3ce397af01b98050317d5a2cfaa85f861475d1d1c6a85fdd741fed2b1f4a48
SHA512 579354f9c16f0cc546714f759f197da4b5f9dd196fea67e495f74c3f276103341c1c065f45112121a0dccc3a3a6b0ab7a45d1a2553a2a878b8b6aa1a89dcbdc9

C:\Users\Admin\AppData\Local\Temp\Tar2D89.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\3A36.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\3A36.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\3A36.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\3A36.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\3A36.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\3A36.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\4148.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\4148.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\439A.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\439A.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2240-509-0x00000000012B0000-0x00000000012BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 761cde4129dabaaa98125a4dd6b9fdfc
SHA1 d8133bdedac1e1d076f25dd49218050577d4c465
SHA256 37dd72529d59919c852655a37f7ea9514a30c946308e232b6237501a6b2f4a4c
SHA512 388ff37bd32501302f9185ca308e041cd9232d3d4c9d7540f0b892f8023ff96709a4d9fca60a50a53a1d1a29b3d53503e665907e165e38650ea80a54def00ad5

C:\Users\Admin\AppData\Local\Temp\6CDD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\6CDD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 99def560bd454a2ff1d67e0e7fc58073
SHA1 b52d02dc8f689c892f7a8981ae488a6f5d224a4e
SHA256 25ca76ca073d743980b300552cced960eafe7358f9b517cbab26a2efd59749dd
SHA512 b98f69b3f644572be2bfd66b07230f9be25f075fa7b33206128b953ddc37afc16a796e9a6273f3142bd11c140bc330ddeb139e1e1d0274be4b0f136362da4979

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\8DC6.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\8DC6.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/1668-631-0x0000000000600000-0x000000000065A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94E8.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\94E8.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\9C29.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/1564-644-0x0000000000020000-0x000000000003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C29.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\94E8.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2236-652-0x0000000000FB0000-0x0000000000FCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8DC6.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2240-653-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/1668-654-0x0000000000400000-0x000000000046F000-memory.dmp

memory/788-655-0x0000000001320000-0x000000000224A000-memory.dmp

memory/1668-657-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/1564-659-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1564-660-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/2236-661-0x0000000070C00000-0x00000000712EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1564-668-0x0000000002100000-0x0000000002140000-memory.dmp

memory/2236-670-0x0000000000B30000-0x0000000000B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/788-671-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/1668-672-0x0000000006F50000-0x0000000006F90000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/2496-688-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/2496-689-0x0000000000C60000-0x0000000001176000-memory.dmp

memory/3068-690-0x0000000003FD0000-0x00000000043C8000-memory.dmp

memory/1720-692-0x00000000023F0000-0x00000000024F0000-memory.dmp

memory/1720-693-0x0000000000220000-0x0000000000229000-memory.dmp

memory/564-694-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3068-695-0x0000000003FD0000-0x00000000043C8000-memory.dmp

memory/564-697-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3068-705-0x00000000043D0000-0x0000000004CBB000-memory.dmp

memory/2496-706-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/564-707-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2496-708-0x0000000000660000-0x0000000000661000-memory.dmp

memory/3068-711-0x0000000000400000-0x000000000266D000-memory.dmp

memory/788-713-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/564-732-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-731-0x0000000003B10000-0x0000000003B26000-memory.dmp

memory/2240-736-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/1668-737-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/3068-738-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1564-739-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/2236-740-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/2236-742-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1564-741-0x0000000002100000-0x0000000002140000-memory.dmp

memory/1668-743-0x0000000006F50000-0x0000000006F90000-memory.dmp

memory/2496-744-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/3068-768-0x00000000043D0000-0x0000000004CBB000-memory.dmp

memory/2496-769-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2496-770-0x0000000000680000-0x000000000069C000-memory.dmp

memory/2496-771-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-772-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-774-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-776-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-778-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-780-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-783-0x0000000000680000-0x0000000000695000-memory.dmp

memory/1928-782-0x000000013F800000-0x000000013FDA1000-memory.dmp

memory/2496-785-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-787-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-789-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-791-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-793-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-795-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2496-796-0x0000000000700000-0x0000000000701000-memory.dmp

memory/1896-797-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-798-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-799-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-801-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-803-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-805-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1896-807-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-809-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2496-816-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/3068-829-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2801bfeb729db552aa631618e3ec7c12
SHA1 b6ff4bd6df8ffe331e181d9ba254021bcca36c3b
SHA256 35783beda714f15e90454dff0621dec4745d976b3b61e068c3f8c7bccabf52f6
SHA512 d2b992b6abecc1444a395783c0bbf021aeb318ecb1669ad7762c4fe088aa273b85227c833f86abdc8252bfaa6a9b28d2b6aa7e103bf19fa91ed45c38e4ea10d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f85784bba0bec350dfcfdb53b12f40b
SHA1 0e0e1f4364d1daeb9bb7a74dd3e87cd28d94d91c
SHA256 90183726896e97c55f444c662ee1bcec6d3195c1f2ca6cdb44d8fc5ba8adcff2
SHA512 e1436f58765629a132bac4300e8f2f7bfbb77c91d37010afc707579ca5a64b9c6db57da347233f3a72f44ea696bdefb71214310014fc98602fb2426a9152a0f3

memory/3068-918-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d73c51c0807f80dc93111ce4cad74108
SHA1 e217fc43fb6c32a1e8c3430fe0c1c5f0d948b946
SHA256 9e54886838b7376469986fc73575d41c6db9d66945aa29efb1ca8c47e4900ad9
SHA512 0dbb4e49e03f5066b02a8ac5355c3d6e6d1aa5bfcc5b81d343fd8a04117dbc24d65f89d491b9d611e4e534e99faa368589fb88a13c3b933d9cef4386de2a0491

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 4ec5a5fc88893c1adf27b164de964a65
SHA1 510c3d32240f476cedac3d754525e5c84b9618e6
SHA256 3a43697987c3100f3b54dbda2d121de585eb39d9c9d7fd730d049329df2e3bd6
SHA512 9f8168d1d74feb5676cd7d3bfc7ce49a99c524f871c56e643a8a9a003d8c4fa913f427886a87ead6001bfc3fef0db3d1f58fd00707316dc57b156cc27b51f681

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76479613b8abd8daf9fed7afd9699429
SHA1 6acfb9330f75d42685f05429e85d9d105e225eeb
SHA256 89995a29ae40379bdcb57e24da0b4f8ba2586bc4febfc7bf5b24abbe4f656e51
SHA512 b294f3761ff4744ddf51a2b70d45f42e785cde9ad4733c588f1efa6ce7d6f0cdbe5a7c191943cc0e24b9c37106a3b9f863cca9bc6f4269f0deb2b332879bc46b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffbd4d8b004cb7d98580190855509cdc
SHA1 104988ee223f55310b4fcd9be122e07125218103
SHA256 77b76d7d9058e438c9433e1e9662f5b5485f081a10dfd9ce7f438460e49aa1d3
SHA512 ca00670b91ec400ec895f3efbe56db6802851a43df6dc91270a89b82f1b45146da7303235c09b749cbb3441caac1cbad59ac0909222f9b70f3b15f647603db31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5a01f086f21ea1f4f58dc2e97bb7fa3
SHA1 70817d2e8c402a29c5eecb7a98f7898861d3d756
SHA256 fbd95a308be58711f5e7daeb3b2f4a74a53f2002a72c628c9bc200de5773e36b
SHA512 df3b4faea28ae0f1a1b1fc77af8141fefb768378f556265b28cd8b4fa02b6a7f5109d3a143a0c719ec68eb159c4c8a8e9e4c513a545cbd568a3e211a557a8505

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51727e731d7d5988250478c4734c1892
SHA1 13a0a6d2f1fa3a7ab2ca4aa61c1375b69201e277
SHA256 f702d1788a639f31973989993fa39fb6dc8ff256a6652c39d87a984bbfcba9b7
SHA512 f12697c7981231f191fe872fe2046bfa66e642ca1bb90743d8065809ba0340a55897f16a6779fde01e47973b591547c7d81f402c20dcefc3a1990265f65fcb2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aee50b36560b3c216898ad6005de95d9
SHA1 f0372469d92c98cc544a210c7e34ec65804d697b
SHA256 eb8e58fa76d3a83745d2df105549d97cbfd1a340c77d1b91241153e7c2d4fb2d
SHA512 614f24227400204075ec62567addce95f43e5d9773527e656d3ecd3c79f36d23467c47afd572b4ac46dfc211e1147c40049f7fcd4ae72cf419b7ef70b807cfba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6001587fb3a918d39940d1f2f82dc18f
SHA1 0d5fb65e9fe92662902d7f9d3dc08e090932bebd
SHA256 453d34538486fc13fe91a13515dac1142e6b6e1b507b89395dada54eb33801ef
SHA512 50ba0afdd7cf768db0fa03acfe054e285f888b411ea71ae9b8fc01b01ccfa1e8e6a60fca7b28b71e144906453a8399b80b39d1684ffa444b00493799fd5a1efe

C:\Users\Admin\AppData\Local\Temp\tmp8D3.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp8F8.tmp

MD5 f53b7e590a4c6068513b2b42ceaf6292
SHA1 7d48901a22cd17519884cef703088b16eb8ab04f
SHA256 1ba7ecb5cecec10e4cc16b2e5668ba5ea4f52307f5543aba78e83de61e9fb3bf
SHA512 db510c474e4736ae8d23ee020bc029966f8ff2a9146dfc6a79604b05c4d95a4ce7a3d91a26c7d056e925012d62f459744db1d6df91e65c3da77ef6a1ab0ee231

memory/2240-1272-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/1668-1274-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/2236-1275-0x0000000070C00000-0x00000000712EE000-memory.dmp

memory/1564-1297-0x0000000070C00000-0x00000000712EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/3068-1371-0x0000000000400000-0x000000000266D000-memory.dmp

memory/816-1373-0x0000000003FC0000-0x00000000043B8000-memory.dmp

memory/816-1374-0x0000000000400000-0x000000000266D000-memory.dmp

memory/816-1382-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3032-1388-0x000000001B140000-0x000000001B422000-memory.dmp

memory/3032-1389-0x0000000002250000-0x0000000002258000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:33

Reported

2023-10-10 20:51

Platform

win10v2004-20230915-en

Max time kernel

110s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1988 created 2660 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2A68.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2E53.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61F7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A23D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A23D.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1FC8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2D0A.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AFDB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B8F4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1844 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1844 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1844 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1844 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1844 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2660 wrote to memory of 4680 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1FC8.exe
PID 2660 wrote to memory of 4680 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1FC8.exe
PID 2660 wrote to memory of 4680 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1FC8.exe
PID 4680 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\1FC8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 4680 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\1FC8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 4680 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\1FC8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2660 wrote to memory of 456 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\271C.exe
PID 2660 wrote to memory of 456 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\271C.exe
PID 2660 wrote to memory of 456 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\271C.exe
PID 3740 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 3740 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 3740 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2232 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 2232 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 2232 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 1028 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe
PID 1028 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe
PID 1028 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe
PID 4768 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe
PID 4768 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe
PID 4768 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe
PID 2660 wrote to memory of 2756 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2A68.bat
PID 2660 wrote to memory of 2756 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2A68.bat
PID 2660 wrote to memory of 2756 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2A68.bat
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 456 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\271C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2660 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2C0F.exe
PID 2660 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2C0F.exe
PID 2660 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2C0F.exe
PID 2660 wrote to memory of 3964 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2D0A.exe
PID 2660 wrote to memory of 3964 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2D0A.exe
PID 3756 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2A68.bat C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2A68.bat C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2E53.exe
PID 2660 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2E53.exe
PID 2660 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2E53.exe
PID 2244 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2C0F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24632.28701.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 156

C:\Users\Admin\AppData\Local\Temp\1FC8.exe

C:\Users\Admin\AppData\Local\Temp\1FC8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\271C.exe

C:\Users\Admin\AppData\Local\Temp\271C.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\2A68.bat

"C:\Users\Admin\AppData\Local\Temp\2A68.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 416

C:\Users\Admin\AppData\Local\Temp\2C0F.exe

C:\Users\Admin\AppData\Local\Temp\2C0F.exe

C:\Users\Admin\AppData\Local\Temp\2D0A.exe

C:\Users\Admin\AppData\Local\Temp\2D0A.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2B32.tmp\2B33.tmp\2B34.bat C:\Users\Admin\AppData\Local\Temp\2A68.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3756 -ip 3756

C:\Users\Admin\AppData\Local\Temp\2E53.exe

C:\Users\Admin\AppData\Local\Temp\2E53.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4820 -ip 4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 388

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe237e46f8,0x7ffe237e4708,0x7ffe237e4718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe237e46f8,0x7ffe237e4708,0x7ffe237e4718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,15611637350908126586,16364918867113855901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15611637350908126586,16364918867113855901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\61F7.exe

C:\Users\Admin\AppData\Local\Temp\61F7.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\A23D.exe

C:\Users\Admin\AppData\Local\Temp\A23D.exe

C:\Users\Admin\AppData\Local\Temp\AFDB.exe

C:\Users\Admin\AppData\Local\Temp\AFDB.exe

C:\Users\Admin\AppData\Local\Temp\B8F4.exe

C:\Users\Admin\AppData\Local\Temp\B8F4.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2618869340561180581,2382109705421953398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5816 -ip 5816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Roaming\agffjia

C:\Users\Admin\AppData\Roaming\agffjia

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\daffjia

C:\Users\Admin\AppData\Roaming\daffjia

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 182.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp

Files

memory/4456-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4456-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2660-2-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/4456-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FC8.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\1FC8.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\271C.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\271C.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\2A68.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\2A68.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/5108-57-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A68.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/5108-58-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5108-59-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5108-61-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C0F.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\2C0F.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\2D0A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\2D0A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4820-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4820-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3964-71-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/3964-76-0x00007FFE21C10000-0x00007FFE226D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E53.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\2E53.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4820-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5108-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3616-84-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\2B32.tmp\2B33.tmp\2B34.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3616-91-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/3616-95-0x00000000073C0000-0x0000000007452000-memory.dmp

memory/3616-94-0x00000000078D0000-0x0000000007E74000-memory.dmp

memory/3616-96-0x0000000007640000-0x0000000007650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

MD5 bb6d1132944801ee447678e1bb873f4b
SHA1 3ff8e24650ede043374080ee3bb68e5b029e3165
SHA256 c0cdbb93974bd70eaf1247f5f4e5c0e94238059da36d3b6c411f7abf3303c0c7
SHA512 aabe46394d217965b0564134505a37f1e908a1ad9f01d31dd0d144eb4d929017725fde184580b3492b3a0e5888f9ddbfa7d3c474305b6862ba7c3fe4bb486cbb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

MD5 bb6d1132944801ee447678e1bb873f4b
SHA1 3ff8e24650ede043374080ee3bb68e5b029e3165
SHA256 c0cdbb93974bd70eaf1247f5f4e5c0e94238059da36d3b6c411f7abf3303c0c7
SHA512 aabe46394d217965b0564134505a37f1e908a1ad9f01d31dd0d144eb4d929017725fde184580b3492b3a0e5888f9ddbfa7d3c474305b6862ba7c3fe4bb486cbb

memory/4456-101-0x0000000000D60000-0x0000000000D9E000-memory.dmp

memory/3616-100-0x00000000073A0000-0x00000000073AA000-memory.dmp

memory/4456-102-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/3616-103-0x00000000084A0000-0x0000000008AB8000-memory.dmp

memory/4456-104-0x0000000007D50000-0x0000000007D60000-memory.dmp

memory/3616-105-0x0000000007760000-0x000000000786A000-memory.dmp

memory/3616-106-0x0000000007610000-0x0000000007622000-memory.dmp

memory/3616-107-0x0000000007690000-0x00000000076CC000-memory.dmp

memory/3616-108-0x00000000076D0000-0x000000000771C000-memory.dmp

memory/3964-110-0x00007FFE21C10000-0x00007FFE226D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_588_DKHDKBEFSRLQUHFH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_4880_SACIGTDKQIQGTQAS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c8860f5f9e56ef2afbabae890c657dff
SHA1 ba11807bff8d6ff148c0f8fa1d60371797a0af1d
SHA256 ded57d52cdbb379ddd698d3aef1ddf52cf1722aa1630e89e98f85de03bb68447
SHA512 b243e781d7024975088e66c2c0acd0783427be537c212e5f5ea81c3860e3d0045cd7642ad988e1e5c5720ad5aa2e27cde18695effcb29f28aa7671b2bafa32df

memory/3616-160-0x0000000072210000-0x00000000729C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f85f63ad1655d6fd632b786a796168f0
SHA1 e46b94c822f63b52ab00304266a99b52bfc8dd69
SHA256 58869add6982c35bef3763915801858105994de9c3227397451b8dad6ecf4a4c
SHA512 48a62faa53e9a2d588e84f5eae2ea5aee086942df07692bdef61f64a69c484e129b7e5c6a3b6c4e5f523621243a1024218dd2d58eeae8e7b53c125aa2874b3f3

memory/3964-167-0x00007FFE21C10000-0x00007FFE226D1000-memory.dmp

memory/3616-170-0x0000000007640000-0x0000000007650000-memory.dmp

memory/4456-187-0x0000000072210000-0x00000000729C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61F7.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\61F7.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/5624-196-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/5624-215-0x0000000000CB0000-0x0000000001BDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/5016-279-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/5016-280-0x00000000002F0000-0x0000000000806000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f85f63ad1655d6fd632b786a796168f0
SHA1 e46b94c822f63b52ab00304266a99b52bfc8dd69
SHA256 58869add6982c35bef3763915801858105994de9c3227397451b8dad6ecf4a4c
SHA512 48a62faa53e9a2d588e84f5eae2ea5aee086942df07692bdef61f64a69c484e129b7e5c6a3b6c4e5f523621243a1024218dd2d58eeae8e7b53c125aa2874b3f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dee8f818e6d8e1f6e0c09539c317bd47
SHA1 dbbd959e192caa42925f631b0db28c01ef4b591e
SHA256 8c55c61ee83653c616f4db874748e7766d9eed10e1d4c689b8b690913590c6d6
SHA512 13cdeb7822c12dc80071fb7d12c9838fa67983d1dd49316866e2377ad64e6f81d389337b5f9b0ddd83483202280d887de3f67bfd0f95cb6750843fcb203be214

memory/6080-298-0x00000000025A0000-0x00000000026A0000-memory.dmp

memory/6080-299-0x00000000023E0000-0x00000000023E9000-memory.dmp

memory/1736-300-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1736-302-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 69058431c436f68d2339366dec98c963
SHA1 ec5fb77fea48851741918da2e99f8c45428ad0a1
SHA256 43737ee378b33eed0cd384732813b61dc71789eb7f65d1b92d7aeef0b2302ead
SHA512 b73a083253071dc1365100ec511da438fd4827802887739a32b77f3b0e30c61fc0f5660bd08d7383eaafb9067e96071a9dc28730b4efe22d4bbee3548656f067

memory/4656-305-0x00000000042C0000-0x00000000046BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4656-308-0x00000000047C0000-0x00000000050AB000-memory.dmp

memory/5016-310-0x00000000051C0000-0x00000000051D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5624-313-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/2660-317-0x0000000002C50000-0x0000000002C66000-memory.dmp

memory/1736-318-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4656-322-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5016-323-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/4656-326-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5016-328-0x0000000072210000-0x00000000729C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A23D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/4656-346-0x00000000047C0000-0x00000000050AB000-memory.dmp

memory/4656-347-0x00000000042C0000-0x00000000046BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFDB.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\B8F4.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

memory/5016-367-0x0000000005370000-0x000000000540C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5be29c04285588372556efad3ab8d864
SHA1 7fd845dbb9a539174eea00049908274835dfc421
SHA256 526c10a1e297db8d11c56c212882ddb7794bac6c7d7a7631006c7f5cd6b3b970
SHA512 4be0bfc7a373d965dea8ffaa19966e5a0ce49fe616dabc425595d664ee2b62aa7c7bce3de3c4af2166014074d0ca08ef89cb2b514b3af4d922c0519671309cf2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ed93fabfb8439926325c8ad12effcf4c
SHA1 e2b6993e7ba76587ec959dfcf1d7cf2b77e72186
SHA256 b8718e67a0963be329aab28d68269107ce04014d01bb1dfd41df4e9fde6dbbd2
SHA512 8515e4deed302ef93ea0f9bf210e6f51413d869b0455969e89eb41a1365c75486f872a1d029a03956126d1dd40f1cd3d5b826af13a67dfd9487b9cc2b9e1bb91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58eec0.TMP

MD5 c7d3087b83cc43e950b113c3864c5aeb
SHA1 85560dc6b04f990fb59941660dd51e8b791b8cc1
SHA256 561bd8b2105a193fbd3d76d9bb29799860deb8e906eb9b29b8b056e2a53bf80c
SHA512 c9d950eaa6fa46c141a714029256abf09116043a459693f55f4a950e0a83fdc23aa73bab2ae1d17c8c96d78e6d685cdd901d6cda0b88ad3d5de0fb8c69646706

memory/4656-397-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5916-400-0x0000000000DE0000-0x0000000000DFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFDB.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/1988-404-0x00007FF6D1C40000-0x00007FF6D21E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8F4.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\A23D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5896-406-0x00000000001E0000-0x00000000001FE000-memory.dmp

memory/5816-407-0x0000000000610000-0x000000000066A000-memory.dmp

memory/4656-408-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A23D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\A23D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5916-418-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/5816-419-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5896-420-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5816-421-0x0000000072210000-0x00000000729C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 dc8e5f58cafeed1cab90c136cab3f5d9
SHA1 655f5331fc88e73ed84f35f613fa4c8ca41ab7af
SHA256 61288e260485190af7782f4fcca25ec600c8d0daec241706ff7ebaa9dc719bd4
SHA512 a2c8ad599201cd63cbe3cb3f3a9316d6ad1ec81593eca519c8cb19bb4effdd5cfc4a6758a524a26ab67b67e6033db76b6bb7ab840fba56d93b35d4130e943028

memory/5916-443-0x0000000005600000-0x0000000005610000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/2080-460-0x0000025E885C0000-0x0000025E885E2000-memory.dmp

memory/5016-461-0x00000000051A0000-0x00000000051BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k45zpymc.eoz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5016-463-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-462-0x00000000051A0000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4656-459-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5016-471-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-474-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/1988-472-0x00007FF6D1C40000-0x00007FF6D21E1000-memory.dmp

memory/5896-476-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/5016-477-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/2080-479-0x00007FFE21780000-0x00007FFE22241000-memory.dmp

memory/2080-483-0x0000025E88580000-0x0000025E88590000-memory.dmp

memory/5016-487-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/2080-485-0x0000025E88580000-0x0000025E88590000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5016-486-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-480-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-489-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-491-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-493-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-495-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-497-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-499-0x00000000051A0000-0x00000000051B5000-memory.dmp

memory/5016-500-0x0000000005730000-0x0000000005731000-memory.dmp

memory/6056-501-0x0000000000400000-0x000000000047F000-memory.dmp

memory/6056-502-0x0000000000400000-0x000000000047F000-memory.dmp

memory/6056-504-0x0000000000400000-0x000000000047F000-memory.dmp

memory/6056-505-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5016-506-0x0000000072210000-0x00000000729C0000-memory.dmp

memory/5896-507-0x0000000005E70000-0x0000000006032000-memory.dmp

memory/5896-511-0x0000000006060000-0x000000000658C000-memory.dmp

memory/2080-510-0x0000025E88580000-0x0000025E88590000-memory.dmp

memory/5896-512-0x0000000006640000-0x00000000066A6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1def33ac750d7e387b0ceb84df95ba98
SHA1 e8c13f3d8ed58e4f6558c787096f8c495057f38a
SHA256 41c1baf9b58ddb9009e289f1315e899688795f480169d6025e003bab581c568e
SHA512 f42cb6be06058907647da374cb988fe94c6fdd62259ea03bb5ee6d9e3f03e6a08efa2a423d13d64ea7a0942b38948547a2250f537f6ed84eab36e9a597fd476b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7da309a3f397027f9658e2b5d0b0b943
SHA1 24650c0edfab79ecdba1d3801ef1fa9c14a6a62b
SHA256 8e68d5cf118847347d7ef3bcd4ae7169222aa16d4abe787b249f2f51fc5e2846
SHA512 5b0b7fb1a23165942131706bee2d5587ef75a483510c194cfacbca205966eb7482aff024db6a471f3f44a9b1cfbddf59b5874411bd2f74f71919532e007fbccf

memory/2080-534-0x00007FFE21780000-0x00007FFE22241000-memory.dmp