Malware Analysis Report

2025-01-23 10:12

Sample ID 231010-zcvfnshf8y
Target file
SHA256 93672fe5c7a31c3ec7781d80ddd3104032dda555446444be8e1fc547bdaf5fd9
Tags
amadey healer redline smokeloader magia backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93672fe5c7a31c3ec7781d80ddd3104032dda555446444be8e1fc547bdaf5fd9

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader magia backdoor dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Detects Healer an antivirus disabler dropper

Healer

Amadey

RedLine

RedLine payload

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:38

Platform

win10v2004-20230915-en

Max time kernel

93s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1808 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1808 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 4464 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 4464 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 4464 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 3344 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 3344 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 3344 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 3812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 3812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 3812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 3812 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 3812 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 3812 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
PID 3344 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
PID 3344 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
PID 3384 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4464 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
PID 4464 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
PID 4464 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
PID 2876 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
PID 1808 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
PID 1808 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
PID 2660 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe C:\Windows\system32\cmd.exe
PID 3944 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3944 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3176 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\D349.exe
PID 3176 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\D349.exe
PID 3176 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\D349.exe
PID 3464 wrote to memory of 1536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3464 wrote to memory of 1536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4800 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\D349.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 4800 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\D349.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 4800 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\D349.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 3944 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3680 -ip 3680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 592

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AED9.tmp\AEDA.tmp\AEDB.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff06fe46f8,0x7fff06fe4708,0x7fff06fe4718

C:\Users\Admin\AppData\Local\Temp\D349.exe

C:\Users\Admin\AppData\Local\Temp\D349.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7fff06fe46f8,0x7fff06fe4708,0x7fff06fe4718

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\D444.exe

C:\Users\Admin\AppData\Local\Temp\D444.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\D743.exe

C:\Users\Admin\AppData\Local\Temp\D743.exe

C:\Users\Admin\AppData\Local\Temp\D85E.exe

C:\Users\Admin\AppData\Local\Temp\D85E.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

C:\Users\Admin\AppData\Local\Temp\D54E.bat

"C:\Users\Admin\AppData\Local\Temp\D54E.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\D9B6.exe

C:\Users\Admin\AppData\Local\Temp\D9B6.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D646.tmp\D647.tmp\D648.bat C:\Users\Admin\AppData\Local\Temp\D54E.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2572 -ip 2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1440 -ip 1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4348 -ip 4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10990625094037870264,357714927967416598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10990625094037870264,357714927967416598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,4400216658913091199,6484555172671505920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,4400216658913091199,6484555172671505920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,4400216658913091199,6484555172671505920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2612-28-0x00000000021E0000-0x00000000021FE000-memory.dmp

memory/2612-29-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/2612-30-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2612-31-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2612-32-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2612-33-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/2612-34-0x00000000024F0000-0x000000000250C000-memory.dmp

memory/2612-35-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-36-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-38-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-40-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-42-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-44-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-46-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-50-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-48-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-52-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-54-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-56-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-58-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-60-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-62-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/2612-63-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/2612-64-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2612-65-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2612-66-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2612-68-0x0000000074650000-0x0000000074E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

memory/3680-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3680-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3680-74-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3680-76-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

MD5 9be5cd3bbae0796b0b26397e43efe2db
SHA1 19bd46f9af0d71ffcf319450f33cd7ae9e69bb69
SHA256 51a81b8f93d1e06c070341d3f8efb02e50a95bf94e1b0759614e43e193fd9b3b
SHA512 c9f7c339b60bd8461af4230b51ae6fd7eac9af5ed952d46161bbb601e5b53d84d829e464a8273020ba14eacd7213294e502c24985f86041a1ff637c01c0488c6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe

MD5 9be5cd3bbae0796b0b26397e43efe2db
SHA1 19bd46f9af0d71ffcf319450f33cd7ae9e69bb69
SHA256 51a81b8f93d1e06c070341d3f8efb02e50a95bf94e1b0759614e43e193fd9b3b
SHA512 c9f7c339b60bd8461af4230b51ae6fd7eac9af5ed952d46161bbb601e5b53d84d829e464a8273020ba14eacd7213294e502c24985f86041a1ff637c01c0488c6

memory/1376-80-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1376-81-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1376-84-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3176-82-0x0000000002B40000-0x0000000002B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

memory/3136-89-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3136-90-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/3136-91-0x0000000007BF0000-0x0000000007C82000-memory.dmp

memory/3136-92-0x0000000007D70000-0x0000000007D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

MD5 0630fe57fb907366325a62a4e78c5951
SHA1 4ba0c8d92a5d9a6f89902614932aad35b1203682
SHA256 7319a06694543b7cba2d3d59d0c3f9b48a1ba93423e4f78fb1eea3c0a063809f
SHA512 ec4400e9b19b3666317aff59bb5b941ea557873cc23ab0ca20f56633eb749f55806381ed7d074bc0ce5733b77726f433180f7a183d0a9f707b72d5421b1c1114

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe

MD5 0630fe57fb907366325a62a4e78c5951
SHA1 4ba0c8d92a5d9a6f89902614932aad35b1203682
SHA256 7319a06694543b7cba2d3d59d0c3f9b48a1ba93423e4f78fb1eea3c0a063809f
SHA512 ec4400e9b19b3666317aff59bb5b941ea557873cc23ab0ca20f56633eb749f55806381ed7d074bc0ce5733b77726f433180f7a183d0a9f707b72d5421b1c1114

memory/3136-97-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

memory/3136-98-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/3136-99-0x0000000008CC0000-0x00000000092D8000-memory.dmp

memory/3136-100-0x00000000086A0000-0x00000000087AA000-memory.dmp

memory/3136-101-0x0000000007E90000-0x0000000007EA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AED9.tmp\AEDA.tmp\AEDB.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/3136-103-0x0000000007F10000-0x0000000007F4C000-memory.dmp

memory/3136-107-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D349.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\6hY51zJ.exe

MD5 6959dfd09b1c15b9dbb99741e0281ab5
SHA1 131bbc5364a52fe48c2608da808c127a10dc5f2a
SHA256 ae071c049d783e6ec8b4512c0b6bf941f8343a2dcda180fe13734aa87a74fb48
SHA512 7487546bd5ec3a1966087fadd4b6c7b53d3a703cd096930b9873fedde5620dcbedd8d760088e93b6bb8fd4eac5d29d1d4b09f9b121b3333f1a3cb8e9bba29cc2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c126b33f65b7fc4ece66e42d6802b02e
SHA1 2a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256 ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512 eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

C:\Users\Admin\AppData\Local\Temp\D444.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

memory/3136-131-0x0000000007D70000-0x0000000007D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\D54E.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\D743.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

C:\Users\Admin\AppData\Local\Temp\D743.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\D54E.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\D85E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\D85E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\4cc682me.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\D444.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\D349.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

memory/4080-184-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4080-187-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3068-188-0x0000000000830000-0x000000000083A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9B6.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\D9B6.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3068-189-0x00007FFF063E0000-0x00007FFF06EA1000-memory.dmp

memory/4080-191-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4348-192-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4348-198-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/4788-211-0x00000000741C0000-0x0000000074970000-memory.dmp

\??\pipe\LOCAL\crashpad_3464_ZNKUJJEIONLLFVOU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4348-202-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\??\pipe\LOCAL\crashpad_5056_XVTYISMZQSPNROMP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:38

Platform

win7-20230831-en

Max time kernel

119s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 1396 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 2036 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1144 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 1748 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 284

Network

Country Destination Domain Proto
RU 5.42.92.211:80 tcp
RU 5.42.92.211:80 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe

MD5 a435fbc1e4e361f61a211d6cac3a4260
SHA1 3cb3d775bb552f7756705eeffa4f980bb65d79b3
SHA256 d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c
SHA512 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76

\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe

MD5 2b96a89e9ca635edafdb9682afa0d7a2
SHA1 669c1d1ba10291b7bff1378ae803acaf9e0d12d2
SHA256 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2
SHA512 e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe

MD5 aae355668362de272191fdfd215753b2
SHA1 4de07034358734227c371008fd7ffa3062c4041e
SHA256 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f
SHA512 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe

MD5 6241b03d68a610324ecda52f0f84e287
SHA1 da80280b6e3925e455925efd6c6e59a6118269c4
SHA256 ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512 a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

memory/2704-40-0x0000000000B50000-0x0000000000B6E000-memory.dmp

memory/2704-41-0x0000000000B90000-0x0000000000BAC000-memory.dmp

memory/2704-42-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-43-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-45-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-49-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-47-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-53-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-51-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-61-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-69-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-67-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-65-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-63-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-59-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-57-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2704-55-0x0000000000B90000-0x0000000000BA6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

memory/2844-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-78-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-86-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-88-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2844-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-91-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-93-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-94-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

memory/2844-99-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-100-0x0000000000400000-0x0000000000433000-memory.dmp