Malware Analysis Report

2025-01-23 10:12

Sample ID 231010-zbentsbe63
Target file
SHA256 9caecc47d2e4e9758cd72483a679ccbc2ba4c6bc7966fa82eccbca74404a457c
Tags
amadey healer mystic redline smokeloader lutyr magia up3 backdoor dropper infostealer persistence stealer trojan dcrat glupteba sectoprat 6012068394_99 pixelscloud evasion loader ransomware rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9caecc47d2e4e9758cd72483a679ccbc2ba4c6bc7966fa82eccbca74404a457c

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey healer mystic redline smokeloader lutyr magia up3 backdoor dropper infostealer persistence stealer trojan dcrat glupteba sectoprat 6012068394_99 pixelscloud evasion loader ransomware rat

Glupteba

Glupteba payload

SmokeLoader

Healer

Mystic

Amadey

Detect Mystic stealer payload

SectopRAT payload

SectopRAT

RedLine payload

DcRat

RedLine

Detects Healer an antivirus disabler dropper

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Stops running service(s)

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:32

Reported

2023-10-10 20:47

Platform

win10v2004-20230915-en

Max time kernel

24s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F174.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 3480 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 3480 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 3972 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 3972 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 3972 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 1596 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1596 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1596 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1596 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1596 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1596 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3972 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe
PID 3972 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe
PID 3972 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3480 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe
PID 3480 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe
PID 3480 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe
PID 3200 wrote to memory of 5004 N/A N/A C:\Users\Admin\AppData\Local\Temp\F174.exe
PID 3200 wrote to memory of 5004 N/A N/A C:\Users\Admin\AppData\Local\Temp\F174.exe
PID 3200 wrote to memory of 5004 N/A N/A C:\Users\Admin\AppData\Local\Temp\F174.exe
PID 5004 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\F174.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe
PID 5004 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\F174.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe
PID 5004 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\F174.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe
PID 3200 wrote to memory of 1428 N/A N/A C:\Users\Admin\AppData\Local\Temp\F30C.exe
PID 3200 wrote to memory of 1428 N/A N/A C:\Users\Admin\AppData\Local\Temp\F30C.exe
PID 3200 wrote to memory of 1428 N/A N/A C:\Users\Admin\AppData\Local\Temp\F30C.exe
PID 3656 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe
PID 3656 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe
PID 3656 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe
PID 1352 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe
PID 1352 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe
PID 1352 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 588

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

C:\Users\Admin\AppData\Local\Temp\F174.exe

C:\Users\Admin\AppData\Local\Temp\F174.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\F30C.exe

C:\Users\Admin\AppData\Local\Temp\F30C.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\F416.bat

"C:\Users\Admin\AppData\Local\Temp\F416.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\F60B.exe

C:\Users\Admin\AppData\Local\Temp\F60B.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1428 -ip 1428

C:\Users\Admin\AppData\Local\Temp\F725.exe

C:\Users\Admin\AppData\Local\Temp\F725.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4756 -ip 4756

C:\Users\Admin\AppData\Local\Temp\F87E.exe

C:\Users\Admin\AppData\Local\Temp\F87E.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F4A1.tmp\F4A2.tmp\F4A3.bat C:\Users\Admin\AppData\Local\Temp\F416.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1560 -ip 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 388

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe485746f8,0x7ffe48574708,0x7ffe48574718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe485746f8,0x7ffe48574708,0x7ffe48574718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,5048219504192092290,1562029693882922600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,5048219504192092290,1562029693882922600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2DF7.exe

C:\Users\Admin\AppData\Local\Temp\2DF7.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4171867026537466182,8459357545870375051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.55:19071 tcp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

memory/216-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/216-15-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

MD5 da6f805e679c4f2456bf9b5908c8af58
SHA1 9b0d895770ae68c1e4d16235d7ab08be759af70b
SHA256 10a6c645178272da1631c2ce32450af5959e6241a18b3720c46629f5536b7019
SHA512 e14ff290f4f3663b83d17a162f64cc0a6ccee7945cd188e4a0969c634fb5450020fef3fceca6074cc4637d552b915f3159504e32b5d717a85286b894dc59ce45

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

MD5 da6f805e679c4f2456bf9b5908c8af58
SHA1 9b0d895770ae68c1e4d16235d7ab08be759af70b
SHA256 10a6c645178272da1631c2ce32450af5959e6241a18b3720c46629f5536b7019
SHA512 e14ff290f4f3663b83d17a162f64cc0a6ccee7945cd188e4a0969c634fb5450020fef3fceca6074cc4637d552b915f3159504e32b5d717a85286b894dc59ce45

memory/3300-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3300-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3300-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3300-23-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

MD5 90d0e9c28de807490744702047f6eb59
SHA1 63970b77663d449cc076ae4f87a6b77447acf843
SHA256 40e9dc6ea3a1acb0a951c025ef02c8c1618225e97fd973c7649f880bd29dc7d8
SHA512 ced9d267998b38743ccf7b61e73ecdb2c03738885475c2272d06fa5c5a3ad02728c9b75a6cd3ab979115407cbd0d07b379dd4aff0f9c95ce28ca6a540a17b728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

MD5 90d0e9c28de807490744702047f6eb59
SHA1 63970b77663d449cc076ae4f87a6b77447acf843
SHA256 40e9dc6ea3a1acb0a951c025ef02c8c1618225e97fd973c7649f880bd29dc7d8
SHA512 ced9d267998b38743ccf7b61e73ecdb2c03738885475c2272d06fa5c5a3ad02728c9b75a6cd3ab979115407cbd0d07b379dd4aff0f9c95ce28ca6a540a17b728

memory/216-29-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3200-27-0x00000000012E0000-0x00000000012F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F174.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\F174.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\F30C.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\F30C.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\F416.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\F416.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\F416.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/2652-77-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F60B.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

memory/2652-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F60B.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

memory/2652-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2652-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4780-87-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F725.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\F725.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1560-91-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F87E.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F87E.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1560-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1560-98-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4780-99-0x00007FFE4AA40000-0x00007FFE4B501000-memory.dmp

memory/1704-100-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1704-108-0x00000000728B0000-0x0000000073060000-memory.dmp

memory/2652-109-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1704-110-0x0000000007B80000-0x0000000008124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

MD5 b040c02309d545bf8cf5ccceec2dd9e2
SHA1 4620a51f9250b4c1d3b6f40481be096795eac99d
SHA256 a5a73ed941b5aec41b6b9f254808134fc5a18640da926d393a78e39a55a2f90b
SHA512 cf937e82c55803053040920ea91af1adf69a8d13993152f88df601eb880e37cc5426c3279792aab60b546ec40fff55f805cb589d83a7abad6849db8d3629f253

memory/4212-116-0x00000000728B0000-0x0000000073060000-memory.dmp

memory/4212-115-0x0000000000E60000-0x0000000000E9E000-memory.dmp

memory/1704-114-0x0000000007670000-0x0000000007702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

MD5 b040c02309d545bf8cf5ccceec2dd9e2
SHA1 4620a51f9250b4c1d3b6f40481be096795eac99d
SHA256 a5a73ed941b5aec41b6b9f254808134fc5a18640da926d393a78e39a55a2f90b
SHA512 cf937e82c55803053040920ea91af1adf69a8d13993152f88df601eb880e37cc5426c3279792aab60b546ec40fff55f805cb589d83a7abad6849db8d3629f253

memory/1704-119-0x0000000007610000-0x0000000007620000-memory.dmp

memory/4212-120-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4A1.tmp\F4A2.tmp\F4A3.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/4212-117-0x0000000007C00000-0x0000000007C10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

memory/1704-123-0x0000000008750000-0x0000000008D68000-memory.dmp

memory/1704-124-0x0000000007A20000-0x0000000007B2A000-memory.dmp

memory/1704-125-0x0000000007950000-0x0000000007962000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/4212-137-0x0000000007F20000-0x0000000007F5C000-memory.dmp

memory/4212-138-0x0000000007F60000-0x0000000007FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_2692_ODLLKWCJPEUTPIRS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 59408312252454f48b7a8c3b7cad19fe
SHA1 47bdd64c719ce492fa42abbe0ae197aa4d54ee83
SHA256 78be01391b50a8c919213e54eabb83862791eabb889263cd124a9f2785898612
SHA512 485c8e75c4e708c8b58e1a46785494e3871ec391eee48aea2d0172420be3a48a78fb9848f7eaa71886be247f912593d0e158571aaf4452308f52c85f0ec2e832

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4a08827354b47a5750ff91518b920939
SHA1 ab604fda3956cf7e2603674a37fae46432b8beb8
SHA256 a473074acfa222dd2da04b35fdf2b3dd012f235bf33bc5f6790aa7bd2828d3e8
SHA512 b23a5c1894e894285aa1215959480f4457bc77efa07f3d13a373b45f4a967b829b309285a8153f9c05e6a01cdac2fb02e27bc06bc6e0480699b2a5e6bf2b65a9

memory/4780-212-0x00007FFE4AA40000-0x00007FFE4B501000-memory.dmp

\??\pipe\LOCAL\crashpad_4372_TZEGCLMMKGSXFOOG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4780-219-0x00007FFE4AA40000-0x00007FFE4B501000-memory.dmp

memory/1704-220-0x00000000728B0000-0x0000000073060000-memory.dmp

memory/4212-233-0x00000000728B0000-0x0000000073060000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4212-250-0x0000000007C00000-0x0000000007C10000-memory.dmp

memory/1704-251-0x0000000007610000-0x0000000007620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2DF7.exe

MD5 3ed110e6e3f87f37d778140ccf8d555e
SHA1 1118fa5a58e67ecc84d1f5becc3233c5f09ca72c
SHA256 8df4b026ca99610307d6696b3c6d0541b431b282e1dac565629de6662240a237
SHA512 d2abb8b1e2775d48606fed12cfc2bf77201cac0292f867d1b6bb85598c83d2452aed03c8cdd801357129219589cea65f9c074019890d772b62f524acc54358b7

C:\Users\Admin\AppData\Local\Temp\2DF7.exe

MD5 d63554fbab5796bcb2af073ec452efff
SHA1 5633704f3af698b3e6523b48375c2f881d660cad
SHA256 ea5abcd543c0e38f9309f16275d23e62894c538868d01d7a1152e54ecf93993b
SHA512 484841215895759f1029616273ff686def95fdb1233f710b533781ef72e013bcaa5bb26303bacc67b1ef5b680d6d1d699d0005d3a25080cdb61bceb25484d2a1

memory/5904-266-0x00000000728B0000-0x0000000073060000-memory.dmp

memory/5904-274-0x0000000000AF0000-0x0000000001A1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 3cd87c79c29038b14a16d38fd1ec64a9
SHA1 fc29423eb92981c95aac3bba3b6ea529eeebaa9f
SHA256 350c460172d1f2bdf7626bb1273892516d4dc7ec0704c4e608b3bd1f1d27508f
SHA512 1bca2c813db6cee83e63ca38373763ddc46e8c631f67e8c2108db6de5736598a10ae029347c25892d1f2446cfc606f8872ec739ca3575064adcb8b80373e86a4

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 ddbce72a18dea3099b69179a70d1b736
SHA1 174b409bb9ed9d7a062aa091362d3b5745f2df9f
SHA256 753900e7826e0be41eebb8452e38dc7ac7d3d96fc7d8eecf0f8ea20332e8cf2c
SHA512 b0adbe243beb94d72a6bd273d125101cf8b1237406c1dcca5ab8cb08a7116ce6efde73e896189ce66c330c8b6eab083be22d935bc4bdd75449f7f1d5e3bf7b39

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 8c6d9871dbc2c073e8dbf71fe10f97c8
SHA1 5c2df06b2a2f91deb478a9315791b59b21d39692
SHA256 af7cb69dfaa0ec2ffbabfb799357ad73160455de63a87b7c7fd0c38a12728f4c
SHA512 35dbb73f7122a97a19a32577e884408852468903c3fc86ae2aad0d913070e90c74013ea9b665f0266a681ab66875a7ebcbf2371075e2d3c519976653f18a0a07

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a1c194ce944224edec84038b8cf9ad07
SHA1 4c908ecba6200ad31fddd4dc8a8a59c10f9338b1
SHA256 f25faa88723fdd738233f5c483ac3a242a0545a787eeea8f9e2a2b7ae47837e5
SHA512 fe3ac1799e7a42c61789200d8245dfd684930e01d164913212ae89cc00304e0ddf598e3bbdf641b0ce7f50d9103012e4c9bb1a7f60aeded6e589ca13703b3ae5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2ecea6e0853fec19bd41c7f23d91bdb8
SHA1 8d3db74143eb8816c57833a144ecf8ec8ce58a34
SHA256 3b1a74b170bb210993ac517235632865965d4a9da8f3dd74d3830b1073bdcfd1
SHA512 b244c9c7e1bc5505b1532a03b4daeb1fb2667d9736712c0aaeb8e465aba6bc29be9d3bafaf803157a4735d36c7684f281ac17c5daaa5c43a4dd2c6e5d1f867c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4a08827354b47a5750ff91518b920939
SHA1 ab604fda3956cf7e2603674a37fae46432b8beb8
SHA256 a473074acfa222dd2da04b35fdf2b3dd012f235bf33bc5f6790aa7bd2828d3e8
SHA512 b23a5c1894e894285aa1215959480f4457bc77efa07f3d13a373b45f4a967b829b309285a8153f9c05e6a01cdac2fb02e27bc06bc6e0480699b2a5e6bf2b65a9

memory/3428-327-0x00000000728B0000-0x0000000073060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 14e8e94334c85303267ef12cac3aeb49
SHA1 b57b27629ac41a8f137bcae4117cc59093e52c12
SHA256 9784bb54e4fd5e5a2674775996982f9c98a72f5604bb7c8b16a14689bb4d725b
SHA512 60fb43b8a4ddc728c5e0de51229de68546e00acbe2af0db6f75ed09bcc3641fb3cd2a57020a5cfcb706c5588f764e55b09b0f8f4fb4064cd18a1a8d760b47ea6

memory/3428-328-0x0000000000E80000-0x0000000001396000-memory.dmp

memory/5904-332-0x00000000728B0000-0x0000000073060000-memory.dmp

memory/3428-342-0x0000000005C90000-0x0000000005CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ae47101bf6e1b50971c9115349a344d7
SHA1 4f6e2edba3b108fa41b3af727eea84241be9c127
SHA256 1d4f77988e64ec16d248bd29537375b5b5221d95a319e194aa1ff8fb5faa0f80
SHA512 385228cc97f8892c39d9c8dfdea1afb3f8b55c4b2ae5767d0a8ae29a74b8ccbed302570666614c2f8b84291d8abaa8e309a8d52e0ef0984235db35061289223d

memory/3428-345-0x0000000005EE0000-0x0000000005F7C000-memory.dmp

memory/5204-346-0x00000000023F0000-0x00000000023F9000-memory.dmp

memory/5204-344-0x0000000002440000-0x0000000002540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/468-354-0x0000000000400000-0x0000000000409000-memory.dmp

memory/468-356-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3428-348-0x0000000005C40000-0x0000000005C41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

memory/1900-357-0x0000000004470000-0x0000000004876000-memory.dmp

memory/1900-358-0x0000000004880000-0x000000000516B000-memory.dmp

memory/1900-364-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:32

Reported

2023-10-10 20:47

Platform

win7-20230831-en

Max time kernel

51s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0C.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F19F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2608 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF422481-67AD-11EE-83C0-7AF708EF84A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FFB112F1-67AD-11EE-83C0-7AF708EF84A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 1264 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 2584 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\F19F.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 1264 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\Temp\F374.exe
PID 1264 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\Temp\F374.exe
PID 1264 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\Temp\F374.exe
PID 1264 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\Temp\F374.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2244 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 2800 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe
PID 1212 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 36

C:\Users\Admin\AppData\Local\Temp\F19F.exe

C:\Users\Admin\AppData\Local\Temp\F19F.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\F374.exe

C:\Users\Admin\AppData\Local\Temp\F374.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\F5E5.bat

"C:\Users\Admin\AppData\Local\Temp\F5E5.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F631.tmp\F632.tmp\F633.bat C:\Users\Admin\AppData\Local\Temp\F5E5.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 132

C:\Users\Admin\AppData\Local\Temp\F8B4.exe

C:\Users\Admin\AppData\Local\Temp\F8B4.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 132

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\FD76.exe

C:\Users\Admin\AppData\Local\Temp\FD76.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:340993 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {BAD157C5-3C1E-450A-9EFA-0DFEA31626FD} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\2BF6.exe

C:\Users\Admin\AppData\Local\Temp\2BF6.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\3634.exe

C:\Users\Admin\AppData\Local\Temp\3634.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\3D18.exe

C:\Users\Admin\AppData\Local\Temp\3D18.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 516

C:\Users\Admin\AppData\Local\Temp\4331.exe

C:\Users\Admin\AppData\Local\Temp\4331.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010204611.log C:\Windows\Logs\CBS\CbsPersist_20231010204611.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {FAE2C9B4-3B13-4DAA-94E4-4BD3284CE4C3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
FI 77.91.68.29:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 108.177.119.101:443 accounts.youtube.com tcp
US 108.177.119.101:443 accounts.youtube.com tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 58da6724-f68c-492e-b02f-21622e225a4e.uuid.cdntokiog.studio udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-host-file8.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 135.125.238.108:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.128.127:19302 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 server12.cdntokiog.studio udp
BG 185.82.216.49:443 server12.cdntokiog.studio tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

memory/2752-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2752-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2752-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2752-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2752-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

memory/1264-32-0x00000000025A0000-0x00000000025B6000-memory.dmp

memory/2752-35-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F19F.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\F19F.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

\Users\Admin\AppData\Local\Temp\F19F.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\F374.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\F5E5.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\F631.tmp\F632.tmp\F633.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\F374.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\F374.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\F374.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\F5E5.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\F374.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\F8B4.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\F8B4.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\F8B4.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\F8B4.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\F8B4.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\FD76.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\FD76.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/796-174-0x0000000000F10000-0x0000000000F1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/796-187-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FF422481-67AD-11EE-83C0-7AF708EF84A9}.dat

MD5 959518a52bf51e5cda5467a4c65e0a5d
SHA1 a943fbfef0686a29af62dd5948d909cd9c7852cd
SHA256 20bc79695ecdd7801a7cd27e74375fc96a9cce1d57cbf53265e7d513ee1af42c
SHA512 55d89e676edc083a82b65ade2c0e420cb76abca67249ebad21739a1cbf5b79f9917591414cb8990065374d2e30583424a28c19d9d5a02c0fa551f78dd7af31f9

C:\Users\Admin\AppData\Local\Temp\Cab435.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar448.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aad5e9b3f2146356231df199ad993e29
SHA1 a5df47f90bb617874f2e45a71588f7709b2e52bf
SHA256 21a8a153bc484e805b9a577abb9786adf6b8ad3e4282ea9cb37ec284e8a33e7a
SHA512 6e35346f54e2ef5752ac53100f5d085bec5d16dcdb8c3989f55f59c6d3f1addfff294706cba6d7664753d24a2413b3b9bed63e5bbf18ec3c85427bb7a4e57de8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89de88ecc01a0e6f272bcfa86c977524
SHA1 074904d6e19222427521b8d9cf6f2dcee3e68cfa
SHA256 07cecf94938f48395612318e22fa02973556061463088226488a9ca8363f85bd
SHA512 5358d4c03cfe3b0a8fd7b0cfcd190bdab650d2b9fb6ba1bf431709cf827875ed356135eb55ce4a0837b054c70dc9e4c2ff1d76bd4c9faf6a965098bf0fe34cb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a35378d8032323dcdcafef73bd1d419e
SHA1 eeee34b4b37a68fc14bc5c30903fca422523c93c
SHA256 b1d79509c20346d469d43dfd2094ba46001610e43930b3e8f7289e0b07e14042
SHA512 3e2f2727a4438a9fa09d5a37da9b5344155cf5b2eeb43042a4cd5bacc0cba033f56f158808dd9f9469bc811de2b78b02d74816baa44c1e6f392845e3938cdca6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2SBOE92S\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bucspth\imagestore.dat

MD5 015ac3c66081a0843e73ee06f6ab7008
SHA1 9ee2ba3b1c88aef461d0fe81ac854c69f47457cd
SHA256 dd4c8f27457e56424737eef1ac9c0eb733c4a788297881b9902fd7d2999cf2ec
SHA512 8ffb8f720c17b68ff0c08bb1b3fd306303fe9e51abdb777c2642913c8258aca371432b3519b07106889a17c7075e8198ecdd23dab5f748bdc8a592668a192908

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bucspth\imagestore.dat

MD5 357fe5fcd6c446bb4123106dc813104d
SHA1 93a6221793bdd1cd849ca595a85159b7e623a3e7
SHA256 ab10312dc6240fe3151ef3c5a75b515436829d71f987ab5921be89a91eed906e
SHA512 e0447e64e5ba5d8041415e855962d84fb70efb1e033fa6972f98586b325a8e749879c0f1c72d320d81ff2277e760d1c707238c19edb42c5521d70987387bbad2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\27V93E5X\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 463ea591d361074d56a18f56c94f1da4
SHA1 3f0915c4d50dcb59c2e19f815f484497f5003234
SHA256 0d21a6b184dd2ce041f33ebf2b87745565d3fe14f4cbf1e112c55b850ec6119d
SHA512 0de3c2061bc2b532d4df0d507462b9e46839fce4c0ad7e6adbef4b0dcfae6b8366e1f8b24d9d857a337fd78d710cba27e09ed222a9a8f5df63086d495de24960

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea83d703cb85c99d3c5f16f942b91c22
SHA1 f87e1c379e790c705a7722dc6da5dec3c637f1cf
SHA256 af85cb526737a963cd8803409917ac0b33a7787747d7bb7d3365610f90bd9d31
SHA512 1cc063c8301a9a312d03721ed8b0088a1e69834c500517b9050a569aa3bd4b85d24be60e533b88d4d515cc77717a2a7e1bd93a792fd64275a7ec8d21580b08b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b5f2c4f25f94f78d483f1a8326c6bb7
SHA1 17d11e709552c77bc668de39b097264b94635f6f
SHA256 2152f8ba8ca77219de13a01335e77cea1a80a36fb356746966fe43495b326446
SHA512 4b2d6b7ec3e05a71d3df6d483b06659d32074883bb2e35d7d404c708ebb71f2b0ba01d9c9869bc1950667eeaec145fd7e85ca8501c3f07a2808d790b4b34ccea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 705a4b9d5c5a5259565897c285bebbd1
SHA1 f36c3f63df98e9f43367dcca2a3570de06b275f4
SHA256 aebdfd55d9745e6673d76c665b2de3a6582de0ea6983e47ba74723ef41a7d1df
SHA512 60dc07aa6c8558fd3e7ab487e1a8aba53ef7c97dc5b0ea9a8ff0f74da228795c21e7a72728d662e789b9380e0a141a0ca10c889498fd03e6023b21ba6e309d63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43039227ff4cf3456c2d8fc954f3d431
SHA1 4a110fa110f6615fe02e746754cf7652acdf2725
SHA256 9da79d0fdd8a6e7696a7f179418ec5f093ca0715a6477ed06486d6af79910b01
SHA512 ceb04adbe9e4e6c215800c36ff5c77b94dbe6be2b3a9ba18f98a841fbeac16f75ae78d0ea6d4dc3649e73797e8280b1ce22b0027835e9c3905a3b51c970e878f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9836c2779358e16682d49dcdaa0085b2
SHA1 ca03191c260f6f60dde08006194df3a0e668e313
SHA256 a1ccf839e60ef7c85b54d8c1abff504edd7bb03a69c8bb03027d655e2fafab99
SHA512 084cdfaa4c13ed3b134f528e17e8dd2e8e55d629d327a1c0f908ae75b3ad1e631c38b7ab291ab55888202d550e81ef4b991fbf7a331de15f912adfa5b8905dfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 790f6eb64f7cec494f96c41751c8af00
SHA1 a4c049c65fcd3ce400bfdc45058a2cae88d524ec
SHA256 b1ace8ee23f8e35e2d80a2da32de6fd9cd0198332823830b20d018b32e3457c1
SHA512 c56a4e2952eeb840c3475099e005459e6565c6d3c183ea8b23a46f7bafce4ddedd787ca68a04c45633d6ab25670a589d8b257774496fa52517e343d867cb2c0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6c478474da2858c8f46aead4a0fedb7
SHA1 f205f78bcc182c31e4a778d1db530d977888913f
SHA256 8952ee109dcd02caf9567dbcda19ec9dcac10326bed23d62c260ac4b252c0ff0
SHA512 7ade6230500953527d9849b5ad255aa68f23939219a63d83e1eba00afeb9efd83584720846f1782e726b51db01c90779fb96574872a5a764605a89423f0ab216

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01775a41992d3c2b6496949269c9f5ca
SHA1 b64ee015ca4d18470398fdc23f0275d6ee47d2ed
SHA256 5d6ad292becf8392647c56586e6342632bde107cdc5181f933341225cfb0a218
SHA512 2b25a4ad6a0e75b7c3ff60aafaa92b762efcea1235809f7d7400cd45a8a007c03b0bc4f86e31f49593e16b35a126d2e14ccb8ccba846d2f5962efb9eed2debb6

memory/796-942-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

memory/796-943-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

memory/1080-947-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/1080-948-0x0000000000CE0000-0x0000000001C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/2560-967-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/2560-968-0x0000000001380000-0x0000000001896000-memory.dmp

memory/2140-969-0x0000000003FC0000-0x00000000043B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3634.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/1432-981-0x0000000002320000-0x0000000002420000-memory.dmp

memory/2140-987-0x0000000003FC0000-0x00000000043B8000-memory.dmp

memory/1280-989-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2140-988-0x00000000043C0000-0x0000000004CAB000-memory.dmp

memory/880-979-0x0000000000360000-0x00000000003BA000-memory.dmp

memory/1432-986-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1280-985-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1080-978-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/880-977-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1280-980-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-990-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/2140-996-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3D18.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/1968-998-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1968-1000-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2560-1002-0x0000000000640000-0x0000000000641000-memory.dmp

memory/1968-1004-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/2204-1008-0x0000000000F50000-0x0000000000F6E000-memory.dmp

memory/2204-1009-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/2560-1010-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/2204-1011-0x0000000004700000-0x0000000004740000-memory.dmp

memory/1280-1014-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1432-1015-0x0000000000220000-0x0000000000229000-memory.dmp

memory/880-1013-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2140-1019-0x00000000043C0000-0x0000000004CAB000-memory.dmp

memory/1264-1012-0x0000000003AB0000-0x0000000003AC6000-memory.dmp

memory/2140-1020-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2560-1022-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1716-1023-0x000000013F1D0000-0x000000013F771000-memory.dmp

memory/2296-1024-0x00000000040E0000-0x00000000044D8000-memory.dmp

memory/2296-1036-0x00000000040E0000-0x00000000044D8000-memory.dmp

memory/2296-1037-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2296-1077-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1448-1078-0x0000000004210000-0x0000000004608000-memory.dmp

memory/1968-1079-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/1448-1080-0x0000000004210000-0x0000000004608000-memory.dmp

memory/2296-1082-0x00000000040E0000-0x00000000044D8000-memory.dmp

memory/2204-1081-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/1448-1083-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2560-1084-0x00000000006E0000-0x00000000006FC000-memory.dmp

memory/2560-1085-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2204-1087-0x0000000004700000-0x0000000004740000-memory.dmp

memory/2560-1086-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1089-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1091-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1093-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1095-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1097-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1099-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1101-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1103-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1105-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1107-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1109-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2560-1110-0x0000000000760000-0x0000000000761000-memory.dmp

memory/788-1111-0x0000000000400000-0x000000000047F000-memory.dmp

memory/788-1113-0x0000000000400000-0x000000000047F000-memory.dmp

memory/788-1115-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp87D6.tmp

MD5 ffb3fe1240662078b37c24fb150a0b08
SHA1 c3bd03fbef4292f607e4434cdf2003b4043a2771
SHA256 580dc431acaa3e464c04ffdc1182a0c8498ac28275acb5a823ede8665a3cb614
SHA512 6f881a017120920a1dff8080ca477254930964682fc8dc32ab18d7f6b0318d904770ecc3f78fafc6741ef1e19296f5b0e8f8f7ab66a2d8ed2eb22a5efacaeda5

C:\Users\Admin\AppData\Local\Temp\tmp87C0.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/788-1177-0x0000000000400000-0x000000000047F000-memory.dmp

memory/788-1180-0x0000000000400000-0x000000000047F000-memory.dmp

memory/788-1187-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2560-1188-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/2372-1220-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2372-1232-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2204-1245-0x0000000070340000-0x0000000070A2E000-memory.dmp

memory/1448-1248-0x0000000000400000-0x000000000266D000-memory.dmp

memory/684-1258-0x0000000002330000-0x0000000002338000-memory.dmp

memory/684-1257-0x000000001B050000-0x000000001B332000-memory.dmp

memory/684-1259-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

memory/684-1261-0x0000000002230000-0x00000000022B0000-memory.dmp

memory/684-1262-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

memory/684-1263-0x0000000002230000-0x00000000022B0000-memory.dmp

memory/684-1264-0x0000000002230000-0x00000000022B0000-memory.dmp

memory/788-1265-0x0000000000400000-0x000000000047F000-memory.dmp

memory/684-1266-0x0000000002230000-0x00000000022B0000-memory.dmp

memory/684-1267-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BPC0KH6OLF6ITDFQI2L3.temp

MD5 28f726e383304f88a82bc61c4e4a9a14
SHA1 ea0ce7f0edb56193fd8cc8af00ad3a68d2ef1c54
SHA256 7938509715151cb5b814a924aeff6d500176534dff35d87b29608612cb1e53d6
SHA512 8cbba19c12f0acc7f5ede182c883466f937de3aa6edee7209c5fb674214a968d844ac2b061be60d9aa5b2c1b734115ead5a6f38de781380c3894947de9cbdebb

memory/2560-1281-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2560-1283-0x000007FEF3E30000-0x000007FEF47CD000-memory.dmp

memory/2560-1282-0x0000000002080000-0x0000000002088000-memory.dmp

memory/2560-1285-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2560-1292-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2560-1291-0x000007FEF3E30000-0x000007FEF47CD000-memory.dmp

memory/2560-1293-0x00000000026C0000-0x0000000002740000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2560-1294-0x00000000026C0000-0x0000000002740000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\27V93E5X\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09