Malware Analysis Report

2025-08-10 23:42

Sample ID 231011-y2x3esba3y
Target d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1
SHA256 d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1
Tags
amadey healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan dcrat breha kukish microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1

Threat Level: Known bad

The file d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan dcrat breha kukish microsoft phishing

DcRat

SectopRAT

Healer

Amadey

SectopRAT payload

SmokeLoader

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Windows security modification

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:17

Reported

2023-10-12 14:46

Platform

win7-20230831-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29B4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3CB8.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1D5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5055d1bd1afdd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000006acb0dea43e81a9735a7266119103a29b52ecc0344d8469e20024fb7d834f71000000000e8000000002000020000000eb5ac057ee61571f530c77a9b94ed5974dfc8c7cafe253accf63eb3e2e01595190000000ce1e647ed01b6850adf64713c6a059714f5b02dab89c3fd6af84f4e7d81f7e656240b9015a4cb45b89374306090bde8e752e3563ea754828700eca13ac54228666bcc451cc71592be27cae5323bd7813f1c78620e90b4bed96cd8cd07ed5be66cfc5c422a65e9694cfe961f69419d6e13a00091baf41702dc2c5203292e90f86fd32ceb1126e57c2b096be96b7cc9ee040000000a78d1f7fd283231ab41f9d528a6175f84ceb0421c5199f845e5ba5077e5e9bcd9189fd6df912f31ce6f73f93431fe1b8104e7414595a4bbf3dbadb9ba1e24dad C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403283743" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000007858acae1e9a5f08a32b8eabd19c70ebb87950d74172a39d41a2829feb139e50000000000e8000000002000020000000d38adb6d9f454608e34dd3330c79175d5336dfb05f6db06348a1d7f04876e41020000000911c43181495ff2dd4bc754c1b2739a75be2879461c17faa949e5faa800558de400000003eb8051c1b8b0333b45512fd431ae738c186e0f16f57dff7631c821badb083d901728d75f8247c8805fffd4ccfb3a3015c2ceb12333f8547e56a7bd683b0aacc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC423591-690D-11EE-8B21-7EFDAE50F694} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1C6A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4F12.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\67C3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4429.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3CB8.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\SysWOW64\WerFault.exe
PID 2064 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\SysWOW64\WerFault.exe
PID 2064 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\SysWOW64\WerFault.exe
PID 2064 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\781.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\781.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\781.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\781.exe
PID 1204 wrote to memory of 2944 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2944 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2944 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\101A.exe
PID 1204 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\101A.exe
PID 1204 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\101A.exe
PID 1204 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\101A.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 2232 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\1D5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 1204 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6A.exe
PID 1204 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6A.exe
PID 1204 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6A.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\781.exe C:\Windows\SysWOW64\WerFault.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\781.exe C:\Windows\SysWOW64\WerFault.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\781.exe C:\Windows\SysWOW64\WerFault.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\781.exe C:\Windows\SysWOW64\WerFault.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 2792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 1204 wrote to memory of 680 N/A N/A C:\Users\Admin\AppData\Local\Temp\29B4.exe
PID 1204 wrote to memory of 680 N/A N/A C:\Users\Admin\AppData\Local\Temp\29B4.exe
PID 1204 wrote to memory of 680 N/A N/A C:\Users\Admin\AppData\Local\Temp\29B4.exe
PID 1204 wrote to memory of 680 N/A N/A C:\Users\Admin\AppData\Local\Temp\29B4.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe

"C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 52

C:\Users\Admin\AppData\Local\Temp\1D5.exe

C:\Users\Admin\AppData\Local\Temp\1D5.exe

C:\Users\Admin\AppData\Local\Temp\781.exe

C:\Users\Admin\AppData\Local\Temp\781.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACC.bat" "

C:\Users\Admin\AppData\Local\Temp\101A.exe

C:\Users\Admin\AppData\Local\Temp\101A.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

C:\Users\Admin\AppData\Local\Temp\1C6A.exe

C:\Users\Admin\AppData\Local\Temp\1C6A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 48

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

C:\Users\Admin\AppData\Local\Temp\29B4.exe

C:\Users\Admin\AppData\Local\Temp\29B4.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 48

C:\Users\Admin\AppData\Local\Temp\3CB8.exe

C:\Users\Admin\AppData\Local\Temp\3CB8.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\4429.exe

C:\Users\Admin\AppData\Local\Temp\4429.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4F12.exe

C:\Users\Admin\AppData\Local\Temp\4F12.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 36

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\5B34.exe

C:\Users\Admin\AppData\Local\Temp\5B34.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\6082.exe

C:\Users\Admin\AppData\Local\Temp\6082.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\67C3.exe

C:\Users\Admin\AppData\Local\Temp\67C3.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6082.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {74B0E22B-BDA2-4D65-8576-ACA13BDF922F} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
MD 176.123.9.142:37637 tcp
IT 185.196.9.65:80 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
TR 185.216.70.238:37515 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.26.12.31:443 api.ip.sb tcp

Files

memory/2852-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2852-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1204-5-0x0000000002A60000-0x0000000002A76000-memory.dmp

memory/2852-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D5.exe

MD5 8d8bb56f32eb8c429dc5508745235c55
SHA1 359f631d7c056a3262a1b756c5c72f261eed97ad
SHA256 f849ea0a82ed039f8c726ab554550d3ac56ff807faa122fc7f64621a4c83c09d
SHA512 5a5b0f3ea34b8a8e9edbcf2899299c84ce0d0f8dc0b0883e507236a85643fdb13873dfefd91ff6e693ce5a3d3b1ab0ba23326ef38447a9b4921f398253d21cbe

C:\Users\Admin\AppData\Local\Temp\1D5.exe

MD5 8d8bb56f32eb8c429dc5508745235c55
SHA1 359f631d7c056a3262a1b756c5c72f261eed97ad
SHA256 f849ea0a82ed039f8c726ab554550d3ac56ff807faa122fc7f64621a4c83c09d
SHA512 5a5b0f3ea34b8a8e9edbcf2899299c84ce0d0f8dc0b0883e507236a85643fdb13873dfefd91ff6e693ce5a3d3b1ab0ba23326ef38447a9b4921f398253d21cbe

C:\Users\Admin\AppData\Local\Temp\781.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

C:\Users\Admin\AppData\Local\Temp\781.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

C:\Users\Admin\AppData\Local\Temp\ACC.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\ACC.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\1D5.exe

MD5 8d8bb56f32eb8c429dc5508745235c55
SHA1 359f631d7c056a3262a1b756c5c72f261eed97ad
SHA256 f849ea0a82ed039f8c726ab554550d3ac56ff807faa122fc7f64621a4c83c09d
SHA512 5a5b0f3ea34b8a8e9edbcf2899299c84ce0d0f8dc0b0883e507236a85643fdb13873dfefd91ff6e693ce5a3d3b1ab0ba23326ef38447a9b4921f398253d21cbe

C:\Users\Admin\AppData\Local\Temp\101A.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

C:\Users\Admin\AppData\Local\Temp\101A.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

MD5 e9ebaab9a3606a72b7bc15db6ede99d0
SHA1 aa452c5eb3a6e3b5e4f92852de56cf65a1d9ccc7
SHA256 28c121e7fe0c5dbcba40c2848ebaf4610265978122884c451362d519fbb11f25
SHA512 2720c84b23963a862f6c40b91b8f75855ba2b54f1558b2f8baf37814a291f6fda79bab5196a6be2694b4d4449fcf313d229529dffe4a843d68fbf476b4f70afd

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

MD5 e9ebaab9a3606a72b7bc15db6ede99d0
SHA1 aa452c5eb3a6e3b5e4f92852de56cf65a1d9ccc7
SHA256 28c121e7fe0c5dbcba40c2848ebaf4610265978122884c451362d519fbb11f25
SHA512 2720c84b23963a862f6c40b91b8f75855ba2b54f1558b2f8baf37814a291f6fda79bab5196a6be2694b4d4449fcf313d229529dffe4a843d68fbf476b4f70afd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

MD5 e9ebaab9a3606a72b7bc15db6ede99d0
SHA1 aa452c5eb3a6e3b5e4f92852de56cf65a1d9ccc7
SHA256 28c121e7fe0c5dbcba40c2848ebaf4610265978122884c451362d519fbb11f25
SHA512 2720c84b23963a862f6c40b91b8f75855ba2b54f1558b2f8baf37814a291f6fda79bab5196a6be2694b4d4449fcf313d229529dffe4a843d68fbf476b4f70afd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

MD5 e9ebaab9a3606a72b7bc15db6ede99d0
SHA1 aa452c5eb3a6e3b5e4f92852de56cf65a1d9ccc7
SHA256 28c121e7fe0c5dbcba40c2848ebaf4610265978122884c451362d519fbb11f25
SHA512 2720c84b23963a862f6c40b91b8f75855ba2b54f1558b2f8baf37814a291f6fda79bab5196a6be2694b4d4449fcf313d229529dffe4a843d68fbf476b4f70afd

C:\Users\Admin\AppData\Local\Temp\1C6A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\1C6A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

MD5 965fd26a4bd59232f88748e2db1d49e2
SHA1 b21ab06321fd86baf207f7867be195a1855f619e
SHA256 4b13637e1d389d2095dfe1a7ef6f13c4a5a27599e1f05b2a31f7da3332d67690
SHA512 746dc3f57a489e823135c43acef45e55c8a20684d7036102f71de9d377f0c24365576a508ce0ae8ae35c5f25b1c7f4dff5cce262e8f4868426aa4af040e64f7f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

MD5 965fd26a4bd59232f88748e2db1d49e2
SHA1 b21ab06321fd86baf207f7867be195a1855f619e
SHA256 4b13637e1d389d2095dfe1a7ef6f13c4a5a27599e1f05b2a31f7da3332d67690
SHA512 746dc3f57a489e823135c43acef45e55c8a20684d7036102f71de9d377f0c24365576a508ce0ae8ae35c5f25b1c7f4dff5cce262e8f4868426aa4af040e64f7f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

MD5 965fd26a4bd59232f88748e2db1d49e2
SHA1 b21ab06321fd86baf207f7867be195a1855f619e
SHA256 4b13637e1d389d2095dfe1a7ef6f13c4a5a27599e1f05b2a31f7da3332d67690
SHA512 746dc3f57a489e823135c43acef45e55c8a20684d7036102f71de9d377f0c24365576a508ce0ae8ae35c5f25b1c7f4dff5cce262e8f4868426aa4af040e64f7f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

MD5 965fd26a4bd59232f88748e2db1d49e2
SHA1 b21ab06321fd86baf207f7867be195a1855f619e
SHA256 4b13637e1d389d2095dfe1a7ef6f13c4a5a27599e1f05b2a31f7da3332d67690
SHA512 746dc3f57a489e823135c43acef45e55c8a20684d7036102f71de9d377f0c24365576a508ce0ae8ae35c5f25b1c7f4dff5cce262e8f4868426aa4af040e64f7f

\Users\Admin\AppData\Local\Temp\781.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

\Users\Admin\AppData\Local\Temp\781.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

\Users\Admin\AppData\Local\Temp\781.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

MD5 fa401b9dfca460e40d158f6674234a3f
SHA1 6b2a11107e70b3ffa2ff6ee9ae8b004c0a726d06
SHA256 e877bdcde12a96e02952b76d13eac141bee541e6e2f12d1f833f76d76d5ee5ab
SHA512 6fb1720f06f705ac8bc67f4aa483b55b8ce7672cf58fe5da22108c28a52f18a2b05bd8e60eb08096fb80dfec595cf47a1315ce4805c064e4b32d3a291153ad32

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

MD5 fa401b9dfca460e40d158f6674234a3f
SHA1 6b2a11107e70b3ffa2ff6ee9ae8b004c0a726d06
SHA256 e877bdcde12a96e02952b76d13eac141bee541e6e2f12d1f833f76d76d5ee5ab
SHA512 6fb1720f06f705ac8bc67f4aa483b55b8ce7672cf58fe5da22108c28a52f18a2b05bd8e60eb08096fb80dfec595cf47a1315ce4805c064e4b32d3a291153ad32

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\29B4.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\29B4.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

MD5 fa401b9dfca460e40d158f6674234a3f
SHA1 6b2a11107e70b3ffa2ff6ee9ae8b004c0a726d06
SHA256 e877bdcde12a96e02952b76d13eac141bee541e6e2f12d1f833f76d76d5ee5ab
SHA512 6fb1720f06f705ac8bc67f4aa483b55b8ce7672cf58fe5da22108c28a52f18a2b05bd8e60eb08096fb80dfec595cf47a1315ce4805c064e4b32d3a291153ad32

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

MD5 fa401b9dfca460e40d158f6674234a3f
SHA1 6b2a11107e70b3ffa2ff6ee9ae8b004c0a726d06
SHA256 e877bdcde12a96e02952b76d13eac141bee541e6e2f12d1f833f76d76d5ee5ab
SHA512 6fb1720f06f705ac8bc67f4aa483b55b8ce7672cf58fe5da22108c28a52f18a2b05bd8e60eb08096fb80dfec595cf47a1315ce4805c064e4b32d3a291153ad32

\Users\Admin\AppData\Local\Temp\781.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

MD5 5002a42decacdb21c42ccd9fb10d9a9f
SHA1 e17bdfc577e44c35c04ab9efa8fe7f8dc190d1ce
SHA256 b16e51a6bc19a24f6e477dcea5e07547672e5154b8bbdb80a722246d7a9e4988
SHA512 c021b324384c5f33e5c94a4953b6a18b04a4a2d895403d6d1259b4fd942a6f0851f23c463739d110ec8edd61a75aed3e8473bbe13414cccfe4aab20c965a26eb

\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

MD5 5002a42decacdb21c42ccd9fb10d9a9f
SHA1 e17bdfc577e44c35c04ab9efa8fe7f8dc190d1ce
SHA256 b16e51a6bc19a24f6e477dcea5e07547672e5154b8bbdb80a722246d7a9e4988
SHA512 c021b324384c5f33e5c94a4953b6a18b04a4a2d895403d6d1259b4fd942a6f0851f23c463739d110ec8edd61a75aed3e8473bbe13414cccfe4aab20c965a26eb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

MD5 5002a42decacdb21c42ccd9fb10d9a9f
SHA1 e17bdfc577e44c35c04ab9efa8fe7f8dc190d1ce
SHA256 b16e51a6bc19a24f6e477dcea5e07547672e5154b8bbdb80a722246d7a9e4988
SHA512 c021b324384c5f33e5c94a4953b6a18b04a4a2d895403d6d1259b4fd942a6f0851f23c463739d110ec8edd61a75aed3e8473bbe13414cccfe4aab20c965a26eb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

MD5 5002a42decacdb21c42ccd9fb10d9a9f
SHA1 e17bdfc577e44c35c04ab9efa8fe7f8dc190d1ce
SHA256 b16e51a6bc19a24f6e477dcea5e07547672e5154b8bbdb80a722246d7a9e4988
SHA512 c021b324384c5f33e5c94a4953b6a18b04a4a2d895403d6d1259b4fd942a6f0851f23c463739d110ec8edd61a75aed3e8473bbe13414cccfe4aab20c965a26eb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

\Users\Admin\AppData\Local\Temp\101A.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

\Users\Admin\AppData\Local\Temp\101A.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

\Users\Admin\AppData\Local\Temp\101A.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

C:\Users\Admin\AppData\Local\Temp\3CB8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\101A.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\4429.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\4429.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/1456-137-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2312-139-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2312-138-0x00000000002C0000-0x000000000031A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F12.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\4F12.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

C:\Users\Admin\AppData\Local\Temp\3CB8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\5B34.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\6082.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\6082.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2956-176-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2956-177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2988-179-0x0000000001BB0000-0x0000000001C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6082.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2956-185-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1780-188-0x0000000000B40000-0x0000000000C98000-memory.dmp

memory/2956-190-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2956-191-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67C3.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\67C3.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2676-196-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2988-197-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1344-198-0x0000000073180000-0x000000007386E000-memory.dmp

memory/2312-199-0x0000000073180000-0x000000007386E000-memory.dmp

memory/2956-200-0x0000000073180000-0x000000007386E000-memory.dmp

memory/2488-201-0x0000000073180000-0x000000007386E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4429.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/2676-204-0x0000000000040000-0x000000000004A000-memory.dmp

memory/1344-205-0x0000000000030000-0x000000000004E000-memory.dmp

memory/2488-206-0x00000000011E0000-0x000000000123A000-memory.dmp

memory/2676-208-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2312-210-0x0000000073180000-0x000000007386E000-memory.dmp

memory/1344-211-0x0000000073180000-0x000000007386E000-memory.dmp

memory/2956-212-0x0000000073180000-0x000000007386E000-memory.dmp

memory/2488-213-0x0000000073180000-0x000000007386E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF93F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a06860260269527566dc098c38ed551c
SHA1 7067527b0fe4cf2fe69e6b7499c14ea7a95c4254
SHA256 68640a34768a654bfd4720b1b83abed34e3fc41ddda1c28964d121ce9d5e9af5
SHA512 b499afa233c2537218f4e857777e3ae434a6b71e84e419dd308a79c61916ea6d7c967e808e602668af614e3588509ce331c5db778d4a403fc2b2b22ff7c60d8a

C:\Users\Admin\AppData\Local\Temp\TarFB56.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7df737ffdddfc074fba978cc10ad0a94
SHA1 c9a1207a53b6e5119a74b622adaaecea90580bb3
SHA256 f5b5cb79db92943cd658a10e0677a264bc5595429e2c0529bd167c07020c736d
SHA512 71d451cf6a6b4f361983e5bcee7d00873478bdbf5068f9a6548432dcbb5f48c9ae2fc960f91790a84c62ac87b76200fc5e8b89645df4919612b19cddc91e4df9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a84704e45e76b26c57415213ef228fa
SHA1 e73e14f1a929956dc0ce638e968d765c3a5848b0
SHA256 6f91b09a40a0222a5f187ad32c2bf596b096dd8f1adfe37e7cc8afb3dc0c79a1
SHA512 ae05aceed856502a67de53a743d7d06282f06add9c826fc2f1e58bf45c0d492e2acb377a5f22b077c4f3f7a1a0245ca167d6156540a4f0c6144fca5d447f1480

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d05649fcbf9332b3d30497d9b998edc1
SHA1 810b34e4124d5761d7d12f9356e1d70b26169359
SHA256 5710a9360d2c045cbfea1e247b7031befd28aba98f896a09e47e8ab30e33e45d
SHA512 320b81c0af0af327f82540b45a28fbf7df35c9ef7b9bfe0e30333a9a3f0ace9395b9f218888f2bad975755b37d9f671a2509fc2b4ceafb7be16d5c01509ab9d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d05649fcbf9332b3d30497d9b998edc1
SHA1 810b34e4124d5761d7d12f9356e1d70b26169359
SHA256 5710a9360d2c045cbfea1e247b7031befd28aba98f896a09e47e8ab30e33e45d
SHA512 320b81c0af0af327f82540b45a28fbf7df35c9ef7b9bfe0e30333a9a3f0ace9395b9f218888f2bad975755b37d9f671a2509fc2b4ceafb7be16d5c01509ab9d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 563dd362f49ebabca2248be13e71600d
SHA1 0b0b1890c551d73dd304124bafa6bf154ab5dbd5
SHA256 14199d178d9fd8b966a337a497fedeedf4f764eb71eb71a48439e63fdf4610fe
SHA512 70cb62a13461da7000f2bc380971b539aaee528e0e467e28ff8c58acfa419920fea41d850dac8c121f52ccd4557ca09962fdc2af4725f654e4c2e590603fe7bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e4a461901a5ca937af5d0352ca12c6f
SHA1 1f0e9baf68d495f3968d997577da83d03eb5b1fc
SHA256 e3d408d7da5070cfb626bc728b4e4669070f59172f1cb3d64cd7f4f49f15a847
SHA512 0cb39ee96c5abe4ffb7f9f745b0677e1d96ff9915692dcf46827a0056541c5035293501009443d7ff92e0fbd315718ddf86744f20c344369dbbcee2d95f350f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f066428ccb1db899a732c101d22f4c
SHA1 e3c4bad6e01bad523b2aa39d3316250dc636173e
SHA256 7d0485e6db33c07a2054d1f52c2237c8bceb545931f2b476a4bc90c675e72fa0
SHA512 3e5813901b937cf5d350452332ad874b380b73a14cad87971b2b31c6c04214b4d4a91013472bad37a4d1fd3f83ebb68671b70ec4a128e852e8822914c3f0427f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2312-659-0x0000000007250000-0x0000000007290000-memory.dmp

memory/2956-660-0x00000000076A0000-0x00000000076E0000-memory.dmp

memory/2488-661-0x0000000007470000-0x00000000074B0000-memory.dmp

memory/2312-662-0x0000000007250000-0x0000000007290000-memory.dmp

memory/2956-663-0x00000000076A0000-0x00000000076E0000-memory.dmp

memory/2488-664-0x0000000007470000-0x00000000074B0000-memory.dmp

memory/2676-665-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2463f17f34f2bad5f3ed8895ff7034c
SHA1 60adee87119e6e943cf966cfb28a97e1777fc0d0
SHA256 3827473a2fa1b620f1f837f90d171fc8568dcda07367fbcb918527e1ba7b4389
SHA512 5db995d3ba2e8a56a12b7d16a152573447689d1bbebfb169a65399713eb2bd6280199d9c9a2067799ae2454b665207b31f7da00b7571f0adbc555b06f507270c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6718c73b21e033872986dd4d162e55c8
SHA1 e4262aa153921662fc9d6223f3dfcb338c7df9f5
SHA256 49e2e37cc45d39b79c3b03cc7a81a4445f052119c801519721cce48958e73e67
SHA512 caf2cf71f86097ca5cd4856202944b406ba4e69e535363493b5a63ed9e588f433e401b53db262490b9170d6b98b0ec6671ceddda7adf26df65b0adcd083252cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 474afb748cfa7714883b785e43621bb6
SHA1 a63c952a2d983dcc5f04e581ede36ae690e98803
SHA256 cd5d54ae0c63eb54dfb44b45e4e89c7a268935ab0815b8eb4c9094a533f376b6
SHA512 d5c2248cb80769a8a3bfcf1bb9261a4795fb539e337f203a46164c0da8e0b019cd09409e490fb76ffb8a809311559c78357fa8d2fbfbb25db471732dae260bab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 264b259b14eb487c634789f23a04bdb4
SHA1 2b09858236a0ac4b7985d1de0a9dd749424bc7f5
SHA256 d65594054f08bbf452bef3235f6811a32735f1130cfadba09dbdaa81820de124
SHA512 b2b1cb74c3e35cdcbca5c7826ae928bbbe40e7e1d0ec35cc2c93640f67e77ebda896d87430f023f3037fa7c62fea1ed57926fe6a8bb7f43441f52cd8a0d2f21e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5862fbf6a3f7f0b3c43948f02353497f
SHA1 83c2e10dffbf583eedf3942a8b36f9df4d12452b
SHA256 ac6992e05e968eda2062ed29005353ea699e391199e6960f15453187229319f5
SHA512 7fc83df9e6b37d87315713b05d7715eacb80b194641a5ad73b55f1ae91dbeec2bd588e637082de6a6ce3026593c8b94e215fa894aaf425f772c1ab8726b7719c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ec53a8bd667d5ef991111ad003572d2
SHA1 29f0b8d0915f04bea35b1f58eff157be1959d5e7
SHA256 7bb9dda3427ac91a5a2491c341dd04fef99892fa888bf3f94ffbf5e053ff8018
SHA512 0747926fa0405776f179bf90cc5c3454600836757541e733b49c42ed276dec8638e5434898861bc19bf35615ccc6c829bac2365b61aef00eb5e70c67e72d7389

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 815c9a5514dc4bf1a554b87bc1731300
SHA1 575734d111e03963051eb562fb943cd5b663d07f
SHA256 179e12d4c18a0c1641bd9ea2ed116a062da4fd4570ac948fa71ebcc2be45efe2
SHA512 f7ee1b6f778863918cbde2c08d3ca6248112167ea5c834517ab3f21e50fbc32e4f11bb933c660e56ba9814b5bf7c01dbdc8981bbd5104e235e23585cee25b0b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32d984657fd1997cecca483a5925cfeb
SHA1 f58d221bbd6098d0b7616f1712cc56a3c83164c4
SHA256 cfe80a3a528c7beddc50aa7fbe478c3653832364f26da50d3c0bdc92a3a8c187
SHA512 6a8c669e46439e8255c73860c821c81258baf78c4ea18dc6ec2adf7653b550dca74c37bf48051a98b91d09451af24fd1475c5479519336ad33f20f2a7553db71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20047288cc3c1a3d04259bd7bdcc6f25
SHA1 7fad06c929b05ed5fa1a5f48e7981d9fcb8ff090
SHA256 4061118d8b050b23897466af9f2ecd446da7b5e67dcbc3f9f7da848ed5a89bfb
SHA512 bf4ffba010f4fcf3edc49a804789237533159a507ab58cca889e4983b55f4ade5b469b9bdca4c15b628e0b0807bd14cbf3bcc335553d6c3b979bd67ed0c6c385

C:\Users\Admin\AppData\Local\Temp\tmpCA35.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpCC7D.tmp

MD5 9de8f5c2b2916ab8ca2989f2fe8b3fe2
SHA1 64e7ec07d4d201ad2a5067be2e43429240394339
SHA256 ace3173e6cbc20b7b89aba8db456417a654e26147b9f0a97e8289147782324b8
SHA512 ba3bacb0e8639c763015791dc19411ccc1f3eaca807815988cafd8d4ebe7ced1e02daab55583df505bd42275589509e98c967466015afff5e9792ac74cb432f4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:17

Reported

2023-10-12 14:46

Platform

win10v2004-20230915-en

Max time kernel

155s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\5728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\5728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\5728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\5728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\5728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\5728.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\58AF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5AA4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\5728.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4C37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5728.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C37.exe
PID 3188 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C37.exe
PID 3188 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C37.exe
PID 1968 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4C37.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 1968 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4C37.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 1968 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4C37.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe
PID 3188 wrote to memory of 3556 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EF7.exe
PID 3188 wrote to memory of 3556 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EF7.exe
PID 3188 wrote to memory of 3556 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EF7.exe
PID 2192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 2192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 2192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe
PID 4036 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 4036 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 4036 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe
PID 3188 wrote to memory of 3524 N/A N/A C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 3524 N/A N/A C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe
PID 2884 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe
PID 2884 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe
PID 1296 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe
PID 1296 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe
PID 1296 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe
PID 3188 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FE.exe
PID 3188 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FE.exe
PID 3188 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FE.exe
PID 3188 wrote to memory of 3960 N/A N/A C:\Users\Admin\AppData\Local\Temp\5728.exe
PID 3188 wrote to memory of 3960 N/A N/A C:\Users\Admin\AppData\Local\Temp\5728.exe
PID 3188 wrote to memory of 492 N/A N/A C:\Users\Admin\AppData\Local\Temp\58AF.exe
PID 3188 wrote to memory of 492 N/A N/A C:\Users\Admin\AppData\Local\Temp\58AF.exe
PID 3188 wrote to memory of 492 N/A N/A C:\Users\Admin\AppData\Local\Temp\58AF.exe
PID 3188 wrote to memory of 3632 N/A N/A C:\Users\Admin\AppData\Local\Temp\5AA4.exe
PID 3188 wrote to memory of 3632 N/A N/A C:\Users\Admin\AppData\Local\Temp\5AA4.exe
PID 3188 wrote to memory of 3632 N/A N/A C:\Users\Admin\AppData\Local\Temp\5AA4.exe
PID 3188 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD8.exe
PID 3188 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD8.exe
PID 3188 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD8.exe
PID 3188 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\Temp\5E30.exe
PID 3188 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\Temp\5E30.exe
PID 3188 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\Temp\5E30.exe
PID 3188 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\Temp\6229.exe
PID 3188 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\Temp\6229.exe
PID 3188 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\Temp\6229.exe
PID 492 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\58AF.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 492 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\58AF.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 492 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\58AF.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3188 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\Temp\668F.exe
PID 3188 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\Temp\668F.exe
PID 3188 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\Temp\668F.exe
PID 3524 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3524 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3188 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B05.exe
PID 3188 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B05.exe
PID 3188 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B05.exe
PID 4748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe

"C:\Users\Admin\AppData\Local\Temp\d2f8260f6c20bab0efc8093ffad73d2edb702a53313adb778788d68c3e0248b1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 236

C:\Users\Admin\AppData\Local\Temp\4C37.exe

C:\Users\Admin\AppData\Local\Temp\4C37.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

C:\Users\Admin\AppData\Local\Temp\4EF7.exe

C:\Users\Admin\AppData\Local\Temp\4EF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\51B7.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

C:\Users\Admin\AppData\Local\Temp\55FE.exe

C:\Users\Admin\AppData\Local\Temp\55FE.exe

C:\Users\Admin\AppData\Local\Temp\5728.exe

C:\Users\Admin\AppData\Local\Temp\5728.exe

C:\Users\Admin\AppData\Local\Temp\58AF.exe

C:\Users\Admin\AppData\Local\Temp\58AF.exe

C:\Users\Admin\AppData\Local\Temp\5AA4.exe

C:\Users\Admin\AppData\Local\Temp\5AA4.exe

C:\Users\Admin\AppData\Local\Temp\5CD8.exe

C:\Users\Admin\AppData\Local\Temp\5CD8.exe

C:\Users\Admin\AppData\Local\Temp\5E30.exe

C:\Users\Admin\AppData\Local\Temp\5E30.exe

C:\Users\Admin\AppData\Local\Temp\6229.exe

C:\Users\Admin\AppData\Local\Temp\6229.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\668F.exe

C:\Users\Admin\AppData\Local\Temp\668F.exe

C:\Users\Admin\AppData\Local\Temp\6B05.exe

C:\Users\Admin\AppData\Local\Temp\6B05.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x80,0x128,0x7ffe655e46f8,0x7ffe655e4708,0x7ffe655e4718

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe655e46f8,0x7ffe655e4708,0x7ffe655e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3556 -ip 3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5CD8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe655e46f8,0x7ffe655e4708,0x7ffe655e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 156

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,18282517166895844133,14311216826413490365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3912 -ip 3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4164 -ip 4164

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GC271vg.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GC271vg.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5CD8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe655e46f8,0x7ffe655e4708,0x7ffe655e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2920 -ip 2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13913610135586885992,14014731486274961109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
IT 185.196.9.65:80 tcp
BG 171.22.28.202:16706 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 202.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 52.210.141.111:443 mscom.demdex.net tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 111.141.210.52.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 8.247.240.157.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
IE 52.210.141.111:443 mscom.demdex.net tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 23.72.252.74:443 mdec.nelreports.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 74.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

memory/3688-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3688-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3188-2-0x0000000003410000-0x0000000003426000-memory.dmp

memory/3688-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C37.exe

MD5 8d8bb56f32eb8c429dc5508745235c55
SHA1 359f631d7c056a3262a1b756c5c72f261eed97ad
SHA256 f849ea0a82ed039f8c726ab554550d3ac56ff807faa122fc7f64621a4c83c09d
SHA512 5a5b0f3ea34b8a8e9edbcf2899299c84ce0d0f8dc0b0883e507236a85643fdb13873dfefd91ff6e693ce5a3d3b1ab0ba23326ef38447a9b4921f398253d21cbe

C:\Users\Admin\AppData\Local\Temp\4C37.exe

MD5 8d8bb56f32eb8c429dc5508745235c55
SHA1 359f631d7c056a3262a1b756c5c72f261eed97ad
SHA256 f849ea0a82ed039f8c726ab554550d3ac56ff807faa122fc7f64621a4c83c09d
SHA512 5a5b0f3ea34b8a8e9edbcf2899299c84ce0d0f8dc0b0883e507236a85643fdb13873dfefd91ff6e693ce5a3d3b1ab0ba23326ef38447a9b4921f398253d21cbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

MD5 e9ebaab9a3606a72b7bc15db6ede99d0
SHA1 aa452c5eb3a6e3b5e4f92852de56cf65a1d9ccc7
SHA256 28c121e7fe0c5dbcba40c2848ebaf4610265978122884c451362d519fbb11f25
SHA512 2720c84b23963a862f6c40b91b8f75855ba2b54f1558b2f8baf37814a291f6fda79bab5196a6be2694b4d4449fcf313d229529dffe4a843d68fbf476b4f70afd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lC2vI0uI.exe

MD5 e9ebaab9a3606a72b7bc15db6ede99d0
SHA1 aa452c5eb3a6e3b5e4f92852de56cf65a1d9ccc7
SHA256 28c121e7fe0c5dbcba40c2848ebaf4610265978122884c451362d519fbb11f25
SHA512 2720c84b23963a862f6c40b91b8f75855ba2b54f1558b2f8baf37814a291f6fda79bab5196a6be2694b4d4449fcf313d229529dffe4a843d68fbf476b4f70afd

C:\Users\Admin\AppData\Local\Temp\4EF7.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

MD5 965fd26a4bd59232f88748e2db1d49e2
SHA1 b21ab06321fd86baf207f7867be195a1855f619e
SHA256 4b13637e1d389d2095dfe1a7ef6f13c4a5a27599e1f05b2a31f7da3332d67690
SHA512 746dc3f57a489e823135c43acef45e55c8a20684d7036102f71de9d377f0c24365576a508ce0ae8ae35c5f25b1c7f4dff5cce262e8f4868426aa4af040e64f7f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FO1zF6nE.exe

MD5 965fd26a4bd59232f88748e2db1d49e2
SHA1 b21ab06321fd86baf207f7867be195a1855f619e
SHA256 4b13637e1d389d2095dfe1a7ef6f13c4a5a27599e1f05b2a31f7da3332d67690
SHA512 746dc3f57a489e823135c43acef45e55c8a20684d7036102f71de9d377f0c24365576a508ce0ae8ae35c5f25b1c7f4dff5cce262e8f4868426aa4af040e64f7f

C:\Users\Admin\AppData\Local\Temp\4EF7.exe

MD5 d0f02f3f6b2bd42f675db325295172a9
SHA1 219389381210781cea233d17dc764f94c88802a4
SHA256 10aab7a19d1567a650d6b3149aaf149f8b94cbad65d01209353ae3c61a21919e
SHA512 d480067dafe98f490b200fa95b9e182b735cda6058d0b67e736eb446d2188119645b366421242d0a530d55664eaea1a49529202971c98dab8e37027bfcf199ec

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

MD5 fa401b9dfca460e40d158f6674234a3f
SHA1 6b2a11107e70b3ffa2ff6ee9ae8b004c0a726d06
SHA256 e877bdcde12a96e02952b76d13eac141bee541e6e2f12d1f833f76d76d5ee5ab
SHA512 6fb1720f06f705ac8bc67f4aa483b55b8ce7672cf58fe5da22108c28a52f18a2b05bd8e60eb08096fb80dfec595cf47a1315ce4805c064e4b32d3a291153ad32

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jd7hw0FL.exe

MD5 fa401b9dfca460e40d158f6674234a3f
SHA1 6b2a11107e70b3ffa2ff6ee9ae8b004c0a726d06
SHA256 e877bdcde12a96e02952b76d13eac141bee541e6e2f12d1f833f76d76d5ee5ab
SHA512 6fb1720f06f705ac8bc67f4aa483b55b8ce7672cf58fe5da22108c28a52f18a2b05bd8e60eb08096fb80dfec595cf47a1315ce4805c064e4b32d3a291153ad32

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

MD5 5002a42decacdb21c42ccd9fb10d9a9f
SHA1 e17bdfc577e44c35c04ab9efa8fe7f8dc190d1ce
SHA256 b16e51a6bc19a24f6e477dcea5e07547672e5154b8bbdb80a722246d7a9e4988
SHA512 c021b324384c5f33e5c94a4953b6a18b04a4a2d895403d6d1259b4fd942a6f0851f23c463739d110ec8edd61a75aed3e8473bbe13414cccfe4aab20c965a26eb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe9jZ9lK.exe

MD5 5002a42decacdb21c42ccd9fb10d9a9f
SHA1 e17bdfc577e44c35c04ab9efa8fe7f8dc190d1ce
SHA256 b16e51a6bc19a24f6e477dcea5e07547672e5154b8bbdb80a722246d7a9e4988
SHA512 c021b324384c5f33e5c94a4953b6a18b04a4a2d895403d6d1259b4fd942a6f0851f23c463739d110ec8edd61a75aed3e8473bbe13414cccfe4aab20c965a26eb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hz04XB0.exe

MD5 19477110aa849bd70f20614b555876eb
SHA1 e8c97d0945742ac3b123e4d41d11370473819798
SHA256 b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f
SHA512 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34

C:\Users\Admin\AppData\Local\Temp\51B7.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\55FE.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

C:\Users\Admin\AppData\Local\Temp\5728.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\5728.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3960-63-0x0000000000C20000-0x0000000000C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55FE.exe

MD5 0313254983509a648ab46856373f5255
SHA1 9cc351205abc23649ea8e777efbd775c350c2d96
SHA256 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216
SHA512 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1

memory/3960-68-0x00007FFE62B20000-0x00007FFE635E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58AF.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\58AF.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\5AA4.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\5CD8.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\5E30.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\5CD8.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/4872-89-0x0000000000830000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6229.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\668F.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2052-98-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E30.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2052-96-0x0000000002100000-0x000000000215A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B05.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\6229.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\6B05.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\668F.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/1956-110-0x0000000000720000-0x000000000073E000-memory.dmp

memory/1956-109-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4664-111-0x0000000000190000-0x00000000001EA000-memory.dmp

memory/4664-112-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4664-114-0x0000000007470000-0x0000000007A14000-memory.dmp

memory/3876-115-0x00000000020E0000-0x000000000213A000-memory.dmp

memory/1956-113-0x00000000055C0000-0x0000000005BD8000-memory.dmp

memory/3876-119-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4664-117-0x0000000006F60000-0x0000000006FF2000-memory.dmp

memory/1956-121-0x0000000005020000-0x000000000505C000-memory.dmp

memory/1956-116-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

memory/1956-123-0x0000000005060000-0x00000000050AC000-memory.dmp

memory/4664-126-0x00000000070B0000-0x00000000070C0000-memory.dmp

memory/1956-127-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/4664-125-0x0000000007020000-0x000000000702A000-memory.dmp

memory/3876-124-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4664-128-0x0000000007A20000-0x0000000007B2A000-memory.dmp

memory/3960-129-0x00007FFE62B20000-0x00007FFE635E1000-memory.dmp

memory/3960-132-0x00007FFE62B20000-0x00007FFE635E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/4664-138-0x0000000007B30000-0x0000000007B96000-memory.dmp

memory/4872-139-0x0000000000830000-0x0000000000988000-memory.dmp

memory/4872-140-0x0000000000830000-0x0000000000988000-memory.dmp

memory/3504-141-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/1956-148-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4872-149-0x0000000000830000-0x0000000000988000-memory.dmp

memory/3504-150-0x00000000729E0000-0x0000000073190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/4632-162-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4632-165-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4632-172-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/4632-169-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a1d4f7d3c985f1415d89251a7064b166
SHA1 83838926061a542595182e7a2309d3a47ba871b5
SHA256 98ca5214aed8ec70bbb3cc8fcba58c64cad7b8e116aec7029ae326f76a30df9d
SHA512 7d9245a141a789e61b2c39b7b3629f17aa3585933f0da2dfeb5fad4032505f5cf761e0b4371830c8c0deb79de86fe35d9e8e8d05d953fe55c3c8f9fce08883ca

\??\pipe\LOCAL\crashpad_1628_FRPNCCHUAEMMDXHX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3504-164-0x0000000007E00000-0x0000000007E10000-memory.dmp

memory/4664-156-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4164-199-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4164-207-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3876-208-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4664-209-0x00000000070B0000-0x00000000070C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 62517a1c83a1fe45928c022fd393d378
SHA1 c2384de2dc7bee616e06fac43c30f3b69d8a8482
SHA256 0b4da2f9a77c6435229bf0f2eb92c66d8409ada78f5af1c6595708980011969b
SHA512 1a161cbc26ab8ce8734f64078114eca0904667f449f7ee52a888645590bed07e0083cdbdee6fac438e29c3213d18164271a1e6d56da1dd48e008c1e1f4ca81d4

memory/4632-200-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4164-198-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/1956-210-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/1956-211-0x0000000006590000-0x0000000006752000-memory.dmp

memory/1956-221-0x0000000006C90000-0x00000000071BC000-memory.dmp

memory/3876-222-0x00000000075D0000-0x00000000075E0000-memory.dmp

memory/1956-223-0x0000000006800000-0x0000000006876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GC271vg.exe

MD5 5f11b5411a364c7049ea8df25a6a34cf
SHA1 64bd9f5938f53407f6d529810a739e8a0945cc66
SHA256 8036d126b40643884ae4147359c0f62bac0ee481fbd01956042ca10a99db8122
SHA512 e7163d9ffee21b24a1f862be8eda9cc4c07ca44ea18de2a1769325ec82448e6046466b3cf0c034efec2c6a693edd85fa2132e675a95858e0648119b837a9b3c7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GC271vg.exe

MD5 5f11b5411a364c7049ea8df25a6a34cf
SHA1 64bd9f5938f53407f6d529810a739e8a0945cc66
SHA256 8036d126b40643884ae4147359c0f62bac0ee481fbd01956042ca10a99db8122
SHA512 e7163d9ffee21b24a1f862be8eda9cc4c07ca44ea18de2a1769325ec82448e6046466b3cf0c034efec2c6a693edd85fa2132e675a95858e0648119b837a9b3c7

memory/6072-227-0x0000000000420000-0x000000000045E000-memory.dmp

memory/6072-228-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/4664-229-0x00000000092F0000-0x0000000009340000-memory.dmp

memory/1956-230-0x0000000006950000-0x000000000696E000-memory.dmp

memory/6072-231-0x0000000007330000-0x0000000007340000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2452-235-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 62517a1c83a1fe45928c022fd393d378
SHA1 c2384de2dc7bee616e06fac43c30f3b69d8a8482
SHA256 0b4da2f9a77c6435229bf0f2eb92c66d8409ada78f5af1c6595708980011969b
SHA512 1a161cbc26ab8ce8734f64078114eca0904667f449f7ee52a888645590bed07e0083cdbdee6fac438e29c3213d18164271a1e6d56da1dd48e008c1e1f4ca81d4

memory/3504-246-0x00000000729E0000-0x0000000073190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 349145a4ff217f0cec2c05e413a81395
SHA1 9efe27c8c7238e0b7914aa70b02769ca2f8df089
SHA256 3f5e0361007a0234b3701506fd60b3fbe4f7d75f6a77d20404075d08bc6d88e8
SHA512 e917b5950fedd6bcfca2e6eeb5482a0b112f0075e741d0ee7c83eb91e76d7a107375f0e31c2bfdd36853ad328e102456c0a95e5f6235458d4a66561ebad6c4b3

memory/2452-247-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/3504-248-0x0000000007E00000-0x0000000007E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6e45489c967caf9cd9e035a239ba4b1f
SHA1 4c99cc39a442cb06477f06a2dec516885de40c38
SHA256 ec9cecc3765ccb044666c4a3e19376334f6b6f9d9c68c8e09b37557694ab600c
SHA512 b6e042714dba20236b41d6496facb2b07b4a4badf0023e5d090ed572d76c08b5889f3702de3de0890caed87c8e0bd5cb214ab5718d2caeb56c7afd3555936f99

\??\pipe\LOCAL\crashpad_1508_FRHYADBYATKMTSKG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 349145a4ff217f0cec2c05e413a81395
SHA1 9efe27c8c7238e0b7914aa70b02769ca2f8df089
SHA256 3f5e0361007a0234b3701506fd60b3fbe4f7d75f6a77d20404075d08bc6d88e8
SHA512 e917b5950fedd6bcfca2e6eeb5482a0b112f0075e741d0ee7c83eb91e76d7a107375f0e31c2bfdd36853ad328e102456c0a95e5f6235458d4a66561ebad6c4b3

C:\Users\Admin\AppData\Local\Temp\tmpD8A9.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpD8DE.tmp

MD5 8395952fd7f884ddb74e81045da7a35e
SHA1 f0f7f233824600f49147252374bc4cdfab3594b9
SHA256 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58
SHA512 ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd

C:\Users\Admin\AppData\Local\Temp\tmpD9D0.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpD98C.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpD967.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpDA2B.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/6072-472-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/1956-473-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/6072-489-0x0000000007330000-0x0000000007340000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4664-501-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/3876-502-0x00000000729E0000-0x0000000073190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/2452-515-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/3504-517-0x00000000729E0000-0x0000000073190000-memory.dmp

memory/2452-565-0x0000000007420000-0x0000000007430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 89a30e8f664228c6c4f656ae7ab153e9
SHA1 660f8291ce01b91c75f0e1927b96affba4251374
SHA256 82f39393ee5feaf40215fd47ab6f24baa20103f662683259c8839744a54409a6
SHA512 3be71723b6ec9c7717eb07c3da8c7269e792ccd4fed4f2aaccd19478822f52c2994f74b165ae51c2c4f3e7b6d2b5fe0e38aabba770fc7fad11619f4fdbc5b515

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a595ed259867109e28fcc46f1cacf310
SHA1 04758e37225d178cc2424454dcd523526abe6c3c
SHA256 f1f275baf61f9d05538a6c8f424f6d2ab59a5a0ccbea723735945b0459d63273
SHA512 5e518597cb89b4c51f03ac94544fb26e11763f46a9501c4bb13dfd42237e953fc44b437dd29904c0aff8ddbf396eff5bf3e40ff0f9c889a545cfc771e15e5a1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6bc5a15402ac5fdf1ba8b0103d2baf7c
SHA1 28486bf7bf39e3405ac590d3c4ef57c24198608b
SHA256 fa5b7cfed22fa61a39c85b94e09004bc35181ddd7f13c3f7b6e3bb0a11425e7b
SHA512 e3899e78fd9a8c8fb6d51d979bb06fa38aa993cf28a78bcf3106fcb7dec273add398452787530e7271a5d9c82d9ab5cadfa53ee4095f8233d1a0f21c06076e69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 207dad7a15128905833655900123aa58
SHA1 a7ab604bb6a6db5cb82f9d9e557e010a36dbd2ca
SHA256 8c8ebdd014ccab1b0e90d31d8b8e8e57979d46dadf0223ca095a1972f7002288
SHA512 02172adf4053e7967d2005b26389bfc47687ff0d473e94a811bf7d33060893b1be96cb225fc7bd4fe87919f21137304f4040b1ce3a373d4855b21b292cfc6cc7

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 674d9025076b1bf445612b4c29b2ac9f
SHA1 0d6355ad09c5dd78fa8cceb2974ef8ceb6449025
SHA256 78abaa7a60b7ecda31ebf76af2a2f6ef694b7ec8af68ab44ea9373170db45c43
SHA512 beef73f2946cbb545c1fbc98d3907ea6a3e704ae26f7d322a69cbb3de9cf1f9acfa70fd214f0cd4e2681ba27b0f57d23f94592843eea02cfab4efffe893465d9

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9e6a1ef4a33b25bdd3e95039ef505a40
SHA1 1b43cc3e8bf27205f70a15a04c6a56a380e106ed
SHA256 5094dcf2b77b1c9ba1013c01b94d039a3082e9952f31d34f29f6ccf334ce05f4
SHA512 195fc074eda8a8688954accaf4badbd3c97850e8a47e52ebe419eafba6989d4a44340f64a08092bff9811c4d70c1de08e134476682aa5710553a34866a80638d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 16ecd101c3ce6d699fff092eaa47119c
SHA1 24419a6eb149e63c1dac1a2a520d0275f131ccc2
SHA256 261f40258b75ed1b909e1e5f6f577f2ea3f316a38960875cfce2edbde3c4baf1
SHA512 2143b415dcbb6e5e3494db3e8ff5f7c3a9d7fbdef2fae94e8f867a37ca5406c581ca6807412f655abed2c32fbfbb4e2c0934d622cb7465d2b2e8ac2c96e9f23b

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500