Malware Analysis Report

2025-08-10 23:42

Sample ID 231011-y44b8adb25
Target b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c
SHA256 b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c
Tags
amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor google discovery dropper evasion infostealer persistence phishing rat spyware stealer trojan breha kukish microsoft
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c

Threat Level: Known bad

The file b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor google discovery dropper evasion infostealer persistence phishing rat spyware stealer trojan breha kukish microsoft

Amadey

SmokeLoader

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

SectopRAT payload

DcRat

Detected google phishing page

Healer

SectopRAT

Downloads MZ/PE file

Windows security modification

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:21

Reported

2023-10-12 14:57

Platform

win7-20230831-en

Max time kernel

153s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D20.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7B09.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000fdd5258de23d735229d9fab1948f3a32b11020faba49d416ee246cbe63bbf560000000000e80000000020000200000007448afa9faba7da5309a379d8c7c64a0ce4bf49f1f71879fba557c13647f9cbd20000000c68433c0d4dd1b8faae74cbd2b61239b990a4b11bd675fd790b8aae6ceb0ae7840000000e5d52c884805b2929abfcd877099abcfdbb1ef5aa258ab667bfec6a0acc203fc952f74cd0a2f178e739f6cac531baad69276681a39bea9410d7f812cb4811e76 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601e0f501cfdd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000429e6b018c74a6119db6d1c1a4cb14421634b986ab8da1baba8508efdb013f47000000000e80000000020000200000000a3d2012610dae7fc691bf1c49d23a3cee30acd88bedfb8b5c721fc06567441290000000d2385f47fd1c401894233c911f1f8ffb9bc3f7273fabd896774ee938d70a51856f7b8628b620323a4d6fb5eb47e389ef46f2e8f1748f222315b9433b7c53ddcdfc195952f4a1ad798f564e9cea6244dabf69a3f3162be8a5270261d88fed9311ea712fbafbc56b9130468f238876c39551687b4da7c20be8d2ff1e4138136d5f7c61ec843f9688061c1095321b6cc6fe40000000853cca56d3ff346bfd3024b0b253c38636d988604bfb88c8d814576f606eb7efc4b9145f40d04fed463de2df5a62900625fe01f46dbad7dd1d1fa66497b8e9c4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7813DE51-690F-11EE-A0E4-CE1068F0F1D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77FC1091-690F-11EE-A0E4-CE1068F0F1D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\A711.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\A711.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\A711.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\A711.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84DD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A711.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A09A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B601.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D20.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\84DD.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\84DD.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\84DD.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7EB2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\9208.exe
PID 1200 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\9208.exe
PID 1200 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\9208.exe
PID 1200 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\Temp\9208.exe
PID 2596 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\81D0.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D20.exe
PID 1200 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D20.exe
PID 1200 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D20.exe
PID 1200 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D20.exe
PID 2556 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9208.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2556 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9208.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2556 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9208.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2556 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9208.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 2756 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe
PID 1632 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe

"C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 52

C:\Users\Admin\AppData\Local\Temp\7B09.exe

C:\Users\Admin\AppData\Local\Temp\7B09.exe

C:\Users\Admin\AppData\Local\Temp\7EB2.exe

C:\Users\Admin\AppData\Local\Temp\7EB2.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7FBD.bat" "

C:\Users\Admin\AppData\Local\Temp\81D0.exe

C:\Users\Admin\AppData\Local\Temp\81D0.exe

C:\Users\Admin\AppData\Local\Temp\84DD.exe

C:\Users\Admin\AppData\Local\Temp\84DD.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 48

C:\Users\Admin\AppData\Local\Temp\9208.exe

C:\Users\Admin\AppData\Local\Temp\9208.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 48

C:\Users\Admin\AppData\Local\Temp\9D20.exe

C:\Users\Admin\AppData\Local\Temp\9D20.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\A09A.exe

C:\Users\Admin\AppData\Local\Temp\A09A.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

C:\Users\Admin\AppData\Local\Temp\A711.exe

C:\Users\Admin\AppData\Local\Temp\A711.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\AB84.exe

C:\Users\Admin\AppData\Local\Temp\AB84.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\B601.exe

C:\Users\Admin\AppData\Local\Temp\B601.exe

C:\Users\Admin\AppData\Local\Temp\C148.exe

C:\Users\Admin\AppData\Local\Temp\C148.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 36

C:\Windows\system32\taskeng.exe

taskeng.exe {2C7D01E3-E78C-4FAA-9D80-33B0421EA0BB} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:340993 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
BG 171.22.28.202:16706 tcp
MD 176.123.9.142:37637 tcp
IT 185.196.9.65:80 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
GB 157.240.221.35:443 fbsbx.com tcp

Files

memory/2212-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2212-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2212-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2212-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2212-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-5-0x0000000002C50000-0x0000000002C66000-memory.dmp

memory/2212-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 f507af6b498a27cab5e4a67f73338385
SHA1 7158ae79ef344fa4804245b1c5778bceaf9eaab2
SHA256 ab73d02b9161a649d8053c273b0040e8cd04d7a58dbd2688e1f939619c413728
SHA512 b27d40e2bd2e12a4b22cc779d37c2ce530810c356a5466c2a4a9d572d2086c165ff638a74ba27675e364d10cfbcea4f47fa2bc0b1c8ac7e76e5ee85708de0316

C:\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 f507af6b498a27cab5e4a67f73338385
SHA1 7158ae79ef344fa4804245b1c5778bceaf9eaab2
SHA256 ab73d02b9161a649d8053c273b0040e8cd04d7a58dbd2688e1f939619c413728
SHA512 b27d40e2bd2e12a4b22cc779d37c2ce530810c356a5466c2a4a9d572d2086c165ff638a74ba27675e364d10cfbcea4f47fa2bc0b1c8ac7e76e5ee85708de0316

C:\Users\Admin\AppData\Local\Temp\7EB2.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\7EB2.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\7FBD.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\81D0.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\81D0.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\84DD.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\84DD.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\7FBD.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\7EB2.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\7EB2.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\9208.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\9208.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\7EB2.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 f507af6b498a27cab5e4a67f73338385
SHA1 7158ae79ef344fa4804245b1c5778bceaf9eaab2
SHA256 ab73d02b9161a649d8053c273b0040e8cd04d7a58dbd2688e1f939619c413728
SHA512 b27d40e2bd2e12a4b22cc779d37c2ce530810c356a5466c2a4a9d572d2086c165ff638a74ba27675e364d10cfbcea4f47fa2bc0b1c8ac7e76e5ee85708de0316

\Users\Admin\AppData\Local\Temp\7EB2.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\81D0.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

\Users\Admin\AppData\Local\Temp\81D0.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

\Users\Admin\AppData\Local\Temp\81D0.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

\Users\Admin\AppData\Local\Temp\81D0.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\9D20.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

MD5 60345516e0ad2efe5fc091bfac61dcf8
SHA1 d64ba4b857cb68aa95a663bf46dea6c04742e310
SHA256 7ec684d6f38f48e4e8a48377ca2dd1b2f035c5c7b949d604f3d036796fc7396d
SHA512 2ec1fad09aa4ec7f9dc15b7085fa15272b18b02087d3008af733f7c2fe32623911641230da41f3959fc89823a646b42097a2a3d5d3cf60af4795c119584de9fa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

MD5 60345516e0ad2efe5fc091bfac61dcf8
SHA1 d64ba4b857cb68aa95a663bf46dea6c04742e310
SHA256 7ec684d6f38f48e4e8a48377ca2dd1b2f035c5c7b949d604f3d036796fc7396d
SHA512 2ec1fad09aa4ec7f9dc15b7085fa15272b18b02087d3008af733f7c2fe32623911641230da41f3959fc89823a646b42097a2a3d5d3cf60af4795c119584de9fa

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

MD5 60345516e0ad2efe5fc091bfac61dcf8
SHA1 d64ba4b857cb68aa95a663bf46dea6c04742e310
SHA256 7ec684d6f38f48e4e8a48377ca2dd1b2f035c5c7b949d604f3d036796fc7396d
SHA512 2ec1fad09aa4ec7f9dc15b7085fa15272b18b02087d3008af733f7c2fe32623911641230da41f3959fc89823a646b42097a2a3d5d3cf60af4795c119584de9fa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

MD5 60345516e0ad2efe5fc091bfac61dcf8
SHA1 d64ba4b857cb68aa95a663bf46dea6c04742e310
SHA256 7ec684d6f38f48e4e8a48377ca2dd1b2f035c5c7b949d604f3d036796fc7396d
SHA512 2ec1fad09aa4ec7f9dc15b7085fa15272b18b02087d3008af733f7c2fe32623911641230da41f3959fc89823a646b42097a2a3d5d3cf60af4795c119584de9fa

C:\Users\Admin\AppData\Local\Temp\A09A.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\A09A.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

MD5 015d7c9f0a840fe3d50c0c1716234899
SHA1 89e4a4eb63a9e3aa3f2ec4be1c0abcf39506f014
SHA256 801779a13d5b4be0edf8797402b19eff5abfa91bab832f56b4df546a157f17c7
SHA512 d88e746ca83388d02789559ce914087b775c1ed8486b6a0a639230446d0ca300033835eeb18a6151235970dfaad4dc46e9a4992b1f0e37b6e63cb386cfbd0571

memory/2384-101-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

MD5 015d7c9f0a840fe3d50c0c1716234899
SHA1 89e4a4eb63a9e3aa3f2ec4be1c0abcf39506f014
SHA256 801779a13d5b4be0edf8797402b19eff5abfa91bab832f56b4df546a157f17c7
SHA512 d88e746ca83388d02789559ce914087b775c1ed8486b6a0a639230446d0ca300033835eeb18a6151235970dfaad4dc46e9a4992b1f0e37b6e63cb386cfbd0571

\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

MD5 015d7c9f0a840fe3d50c0c1716234899
SHA1 89e4a4eb63a9e3aa3f2ec4be1c0abcf39506f014
SHA256 801779a13d5b4be0edf8797402b19eff5abfa91bab832f56b4df546a157f17c7
SHA512 d88e746ca83388d02789559ce914087b775c1ed8486b6a0a639230446d0ca300033835eeb18a6151235970dfaad4dc46e9a4992b1f0e37b6e63cb386cfbd0571

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

MD5 015d7c9f0a840fe3d50c0c1716234899
SHA1 89e4a4eb63a9e3aa3f2ec4be1c0abcf39506f014
SHA256 801779a13d5b4be0edf8797402b19eff5abfa91bab832f56b4df546a157f17c7
SHA512 d88e746ca83388d02789559ce914087b775c1ed8486b6a0a639230446d0ca300033835eeb18a6151235970dfaad4dc46e9a4992b1f0e37b6e63cb386cfbd0571

C:\Users\Admin\AppData\Local\Temp\A711.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2384-104-0x0000000001C00000-0x0000000001C5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A711.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

MD5 4ecaa85091da1da1ab99b3d9d9814c45
SHA1 8aef9194afb1f116edae731544e1ab1199691f48
SHA256 eccab56ef7d3bbb5a672890438e159b4d166857cb3450fdc3f4b611e98f82ddf
SHA512 196d0283740be8fa2ac8bbaed974bf607e9d6cbf009e29dcf076790ee2408aa97f4eff36d68d79e7508b6efb1da531c1cb752c3850596ae2ed5aa400b2861ebb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

MD5 4ecaa85091da1da1ab99b3d9d9814c45
SHA1 8aef9194afb1f116edae731544e1ab1199691f48
SHA256 eccab56ef7d3bbb5a672890438e159b4d166857cb3450fdc3f4b611e98f82ddf
SHA512 196d0283740be8fa2ac8bbaed974bf607e9d6cbf009e29dcf076790ee2408aa97f4eff36d68d79e7508b6efb1da531c1cb752c3850596ae2ed5aa400b2861ebb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

MD5 4ecaa85091da1da1ab99b3d9d9814c45
SHA1 8aef9194afb1f116edae731544e1ab1199691f48
SHA256 eccab56ef7d3bbb5a672890438e159b4d166857cb3450fdc3f4b611e98f82ddf
SHA512 196d0283740be8fa2ac8bbaed974bf607e9d6cbf009e29dcf076790ee2408aa97f4eff36d68d79e7508b6efb1da531c1cb752c3850596ae2ed5aa400b2861ebb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

MD5 4ecaa85091da1da1ab99b3d9d9814c45
SHA1 8aef9194afb1f116edae731544e1ab1199691f48
SHA256 eccab56ef7d3bbb5a672890438e159b4d166857cb3450fdc3f4b611e98f82ddf
SHA512 196d0283740be8fa2ac8bbaed974bf607e9d6cbf009e29dcf076790ee2408aa97f4eff36d68d79e7508b6efb1da531c1cb752c3850596ae2ed5aa400b2861ebb

memory/2360-129-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

MD5 3ab416f9d645b5622e440fe7e360f31a
SHA1 b6927ba1d6597c0362bf59c90535a7464c49f399
SHA256 6e278a0296548ca49fac2fd8db0caab0f970d9aef8bab8398607da790d233b33
SHA512 bb36d62948b3c14eff2e4c3462d34aa2eb7e957afef4953ba116cf60e99e73bea2a7d67da49771e1eceaf71510801541a349e47c38c87ba36949c4239303f080

\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

MD5 3ab416f9d645b5622e440fe7e360f31a
SHA1 b6927ba1d6597c0362bf59c90535a7464c49f399
SHA256 6e278a0296548ca49fac2fd8db0caab0f970d9aef8bab8398607da790d233b33
SHA512 bb36d62948b3c14eff2e4c3462d34aa2eb7e957afef4953ba116cf60e99e73bea2a7d67da49771e1eceaf71510801541a349e47c38c87ba36949c4239303f080

\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

MD5 3ab416f9d645b5622e440fe7e360f31a
SHA1 b6927ba1d6597c0362bf59c90535a7464c49f399
SHA256 6e278a0296548ca49fac2fd8db0caab0f970d9aef8bab8398607da790d233b33
SHA512 bb36d62948b3c14eff2e4c3462d34aa2eb7e957afef4953ba116cf60e99e73bea2a7d67da49771e1eceaf71510801541a349e47c38c87ba36949c4239303f080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

MD5 3ab416f9d645b5622e440fe7e360f31a
SHA1 b6927ba1d6597c0362bf59c90535a7464c49f399
SHA256 6e278a0296548ca49fac2fd8db0caab0f970d9aef8bab8398607da790d233b33
SHA512 bb36d62948b3c14eff2e4c3462d34aa2eb7e957afef4953ba116cf60e99e73bea2a7d67da49771e1eceaf71510801541a349e47c38c87ba36949c4239303f080

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\AB84.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/1352-145-0x00000000013E0000-0x0000000001538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

memory/1352-153-0x00000000013E0000-0x0000000001538000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

memory/372-156-0x0000000000400000-0x000000000043E000-memory.dmp

memory/372-158-0x0000000000400000-0x000000000043E000-memory.dmp

memory/372-162-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1352-164-0x00000000013E0000-0x0000000001538000-memory.dmp

memory/372-167-0x0000000000400000-0x000000000043E000-memory.dmp

memory/372-166-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B601.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\B601.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/556-173-0x00000000002F0000-0x000000000034A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\9D20.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\C148.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B601.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\A09A.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/2344-192-0x0000000000120000-0x000000000013E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

memory/2936-197-0x0000000000B70000-0x0000000000B7A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

memory/2936-199-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/556-200-0x0000000000400000-0x000000000046F000-memory.dmp

memory/556-201-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/372-202-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2344-203-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2384-204-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2384-207-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2936-208-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/556-209-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/372-210-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2344-211-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2384-212-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2384-213-0x0000000007000000-0x0000000007040000-memory.dmp

memory/556-214-0x0000000007010000-0x0000000007050000-memory.dmp

memory/372-215-0x0000000000750000-0x0000000000790000-memory.dmp

memory/2344-216-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/2384-219-0x0000000007000000-0x0000000007040000-memory.dmp

memory/372-220-0x0000000000750000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2936-227-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4A2E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4A60.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77FC1091-690F-11EE-A0E4-CE1068F0F1D9}.dat

MD5 96ff8ec0b1d023f21aa446bdb549321d
SHA1 0186c04cb0d4614de196571b23f73edba4ed097b
SHA256 f73878dd74a3bb9aa4ceafc64538a8c625e5104736bcfe430feee4ac45d51b04
SHA512 79998f321e4184cf3095dbdd7fd83221014a2591f6fe2d3b516abc3af5da083b32d559c66e6ae93c1151bc0a48c34ee4456c6ef9e66a61de59aa83b7ef516f82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29a270a1b804927cd7f6178a500bae0f
SHA1 785de3d098cc6261533831ff94a286a1100ed14b
SHA256 b19bd5ab821307047f93e836cf30973bb5d4c291399243164de0a26b573b1d18
SHA512 bb399bf9bb60e90da5d0a1d3aa4a916db84006044d16bd025d0981d7a4860a2302c6414389d4f32f2244286c571cad3e0f1f5427ab606ef5018df8f50824c364

C:\Users\Admin\AppData\Local\Temp\tmp588E.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp58D2.tmp

MD5 9de8f5c2b2916ab8ca2989f2fe8b3fe2
SHA1 64e7ec07d4d201ad2a5067be2e43429240394339
SHA256 ace3173e6cbc20b7b89aba8db456417a654e26147b9f0a97e8289147782324b8
SHA512 ba3bacb0e8639c763015791dc19411ccc1f3eaca807815988cafd8d4ebe7ced1e02daab55583df505bd42275589509e98c967466015afff5e9792ac74cb432f4

memory/556-508-0x0000000072DC0000-0x00000000734AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O3E62B0W\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lbgq45t\imagestore.dat

MD5 cf7a03104f2af26261d6959f9fbd3154
SHA1 e2121f38dfb4f117d5122ebf164544903cedd9c3
SHA256 9809c25e1f1f23e2f535a65d4845d8f940e3cc78ae6b19effca21706468c693e
SHA512 15f44147116111855493b9a056f579e71a7f9912c6abaa299d68c29de73dbce7bf02e57a4c97319344822b664bef4bbc14cd10d9629429151e8ff7df8d9ea301

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/372-643-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2344-646-0x0000000072DC0000-0x00000000734AE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f00c4786c075719aa91df8738c586af7
SHA1 7312165ab1cd843ad11c53d8df2caf72a4881ad8
SHA256 1c07f31648f2ddb36f0887c1f1359eded87e89f4d0f4922479c7eee114cf71a0
SHA512 9f7d589843b8a9ca0bd536946b31d7ba6e7b6d4459c42249a4177e6bc1c4ecfdc7a5c45553b1e2673c5f83a47baa44f322b247f7642794137fbfc5e7d18b70db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84bc65b053629836007467b0480ec9a6
SHA1 1f4456b1a108d2a3bf9b960b4501a318f9162ba9
SHA256 ab519d27e1976b08d783b0c607c686c00d1782778cd5f9e3d432fd6200c2b9f5
SHA512 c8786a673187373d8833bcc4a9187f30c6efce74638c5f614385c5c8ca5cd50d52d090ac7456ac8e8cbf94a5f76baa2cdb7fd6500f74817d3981c39bdd07f8ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a86c8bbbf91a5f6a5a23a11c3e747868
SHA1 931acfed68f93a9a1e5b98788aee357efa70bc34
SHA256 55d765b4f47fe722f5f2598f21a2cdd92040346d92383d579c4c50caea1b41e6
SHA512 2b032e3f2dc7b41bae50900714da155d5552d0fb4e47384ddf4a92cdd70fb1da27fab12370525ec9928ffeb3ebd94f3c0a7690ed3027464a6a0834521f008c78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 618b06c1cdbfcc2e438fef7e0198479a
SHA1 88065bae7d37392956fc9f4ba275ebad80196c6e
SHA256 c9476959f0dd2fe5c7159d312b5ff9195526cb09fe7090e8304e4c87285a8691
SHA512 4c323a9c1dd111632cb1f46622d0f1aa5fc68bb5000af08d89d3a1ea71f56ab2af5c57644e32e46bbf27eea1105a8d031c642f678043715dc422e48881728ddd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47f1319af1a20cfe23d7d89b1658f561
SHA1 ee8fb4f2ac5559cc1c8bfaba68f9b76dc81b820a
SHA256 761783118caf0fa378c3ff0010e8c5f192d4dd9a97ab382fc00b562f9c66806c
SHA512 4759c9833428b48c05e801cec06dcb9a2994a2a5aee2b667a319f53cff879aa6f6ce07a85df4615f476c72c3ec41a02fb50d78d034562dbefcdf89a3d431908c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cfceebb2b9d9b43e32f5c81f44a1c8e
SHA1 e557fc0f6b4ccc1caab1c08a916b4645622944e8
SHA256 cdd351f948f73e7c65ae2457fa860a3ac36a31423ecef3482f6bf109a6a97630
SHA512 dc7448beb55e007ea2363b4f65728255cf8b5ba057d8421373fcfaf11826591bc332ba2773ec11495d6c7e61eb1bb3c2c124d327dc9d5d84a2db48bc6bffc88a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43dd2190433298d3494e7afb0604d586
SHA1 05fd26b9255c285b434396c77529d59684ee51e0
SHA256 d59875c5a3b6cbe5f04c31ad63c09a99fc9979f51bc537b3cfafc6289378b084
SHA512 f0fa1f8fb01a802d4ae220bc4ef33a9101c541aa82c087d72f8d7f189ee44c2e225d23a577db988cae418ad723910cb5c5c8c36347697b442a1742d6851ecf57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55a713ef9f671db7762c1c0084de8f5a
SHA1 b29321f4d8e7052d8ec0e8b8247f7391f792323f
SHA256 8c633768c92df453b77404a8868f799ccbbfe79b7ca1e422385533b7b3f59559
SHA512 b1bae94f3d621c93ce48d3915d8225f01a3b94961d04351aa3872f219da855f6b7c1e009c3953f39c97eb71978480f8d56df19366ebc13bc31e95cce7a136aa1

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4145fa1920e4841e6f79dc2a2271f816
SHA1 ff814cae1cdaf9e83a6a62722e0c93e298c2f752
SHA256 37ca4cd8dc057bda8d4a5cb0cb93accd5bf96eb00159d9cae87220e38eadc41e
SHA512 82105e8239711df2baf4546296d2de3773c68c8832afc101ab91f028dd4591300cb37fe8cc732139e275aa27235edfcf5cfd74d77552b12846137c30080e8383

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:21

Reported

2023-10-12 14:57

Platform

win10v2004-20230915-en

Max time kernel

160s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\512.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FF35.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\E947.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FC65.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\512.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\E947.exe
PID 2636 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\E947.exe
PID 2636 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\E947.exe
PID 2636 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe
PID 2636 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe
PID 2636 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe
PID 2636 wrote to memory of 1952 N/A N/A C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 1952 N/A N/A C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 4196 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe
PID 2636 wrote to memory of 4196 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe
PID 2636 wrote to memory of 4196 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe
PID 2636 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC65.exe
PID 2636 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC65.exe
PID 1952 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF35.exe
PID 2636 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF35.exe
PID 2636 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF35.exe
PID 4392 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe
PID 4392 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe
PID 4392 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe
PID 2636 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\512.exe
PID 2636 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\512.exe
PID 2636 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\512.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\F0D9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A7.exe
PID 2636 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A7.exe
PID 2636 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A7.exe
PID 4172 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe
PID 4172 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe
PID 4172 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe
PID 2636 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEA.exe
PID 2636 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEA.exe
PID 2636 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEA.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4196 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\FA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 3536 N/A N/A C:\Users\Admin\AppData\Local\Temp\12FF.exe
PID 2636 wrote to memory of 3536 N/A N/A C:\Users\Admin\AppData\Local\Temp\12FF.exe
PID 2636 wrote to memory of 3536 N/A N/A C:\Users\Admin\AppData\Local\Temp\12FF.exe
PID 4200 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe
PID 4200 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe
PID 4200 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe
PID 1952 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe

"C:\Users\Admin\AppData\Local\Temp\b1ec1ec560e5a2867b9d8e3b776a432fe007b465b58d62a2658714c90e328e2c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 236

C:\Users\Admin\AppData\Local\Temp\E947.exe

C:\Users\Admin\AppData\Local\Temp\E947.exe

C:\Users\Admin\AppData\Local\Temp\F0D9.exe

C:\Users\Admin\AppData\Local\Temp\F0D9.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F752.bat" "

C:\Users\Admin\AppData\Local\Temp\FA51.exe

C:\Users\Admin\AppData\Local\Temp\FA51.exe

C:\Users\Admin\AppData\Local\Temp\FC65.exe

C:\Users\Admin\AppData\Local\Temp\FC65.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kd9CX7mR.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

C:\Users\Admin\AppData\Local\Temp\FF35.exe

C:\Users\Admin\AppData\Local\Temp\FF35.exe

C:\Users\Admin\AppData\Local\Temp\512.exe

C:\Users\Admin\AppData\Local\Temp\512.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2084 -ip 2084

C:\Users\Admin\AppData\Local\Temp\9A7.exe

C:\Users\Admin\AppData\Local\Temp\9A7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

C:\Users\Admin\AppData\Local\Temp\BEA.exe

C:\Users\Admin\AppData\Local\Temp\BEA.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4196 -ip 4196

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

C:\Users\Admin\AppData\Local\Temp\12FF.exe

C:\Users\Admin\AppData\Local\Temp\12FF.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf7c46f8,0x7ffccf7c4708,0x7ffccf7c4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 252

C:\Users\Admin\AppData\Local\Temp\1840.exe

C:\Users\Admin\AppData\Local\Temp\1840.exe

C:\Users\Admin\AppData\Local\Temp\1B5E.exe

C:\Users\Admin\AppData\Local\Temp\1B5E.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffccf7c46f8,0x7ffccf7c4708,0x7ffccf7c4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1808 -ip 1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16217461535567431283,9579732646430163282,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,16217461535567431283,9579732646430163282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ue866rX.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ue866rX.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9A7.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf7c46f8,0x7ffccf7c4708,0x7ffccf7c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1840.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf7c46f8,0x7ffccf7c4708,0x7ffccf7c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1840.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf7c46f8,0x7ffccf7c4708,0x7ffccf7c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9A7.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf7c46f8,0x7ffccf7c4708,0x7ffccf7c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,1969455415858482891,574810557123369734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
IT 185.196.9.65:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
TR 185.216.70.238:37515 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 learn.microsoft.com udp
FI 77.91.124.55:19071 tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 104.26.13.31:443 api.ip.sb tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 34.255.92.83:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 83.92.255.34.in-addr.arpa udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 104.26.13.31:443 api.ip.sb tcp
IE 34.255.92.83:443 mscom.demdex.net tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
IE 34.255.92.83:443 mscom.demdex.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
IE 34.255.92.83:443 mscom.demdex.net tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

memory/2444-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2444-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2444-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2636-2-0x00000000014A0000-0x00000000014B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E947.exe

MD5 f507af6b498a27cab5e4a67f73338385
SHA1 7158ae79ef344fa4804245b1c5778bceaf9eaab2
SHA256 ab73d02b9161a649d8053c273b0040e8cd04d7a58dbd2688e1f939619c413728
SHA512 b27d40e2bd2e12a4b22cc779d37c2ce530810c356a5466c2a4a9d572d2086c165ff638a74ba27675e364d10cfbcea4f47fa2bc0b1c8ac7e76e5ee85708de0316

C:\Users\Admin\AppData\Local\Temp\F0D9.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\F752.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\F0D9.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\FA51.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\FA51.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\FC65.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\FC65.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2232-28-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

MD5 015d7c9f0a840fe3d50c0c1716234899
SHA1 89e4a4eb63a9e3aa3f2ec4be1c0abcf39506f014
SHA256 801779a13d5b4be0edf8797402b19eff5abfa91bab832f56b4df546a157f17c7
SHA512 d88e746ca83388d02789559ce914087b775c1ed8486b6a0a639230446d0ca300033835eeb18a6151235970dfaad4dc46e9a4992b1f0e37b6e63cb386cfbd0571

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD3ID7Eh.exe

MD5 015d7c9f0a840fe3d50c0c1716234899
SHA1 89e4a4eb63a9e3aa3f2ec4be1c0abcf39506f014
SHA256 801779a13d5b4be0edf8797402b19eff5abfa91bab832f56b4df546a157f17c7
SHA512 d88e746ca83388d02789559ce914087b775c1ed8486b6a0a639230446d0ca300033835eeb18a6151235970dfaad4dc46e9a4992b1f0e37b6e63cb386cfbd0571

C:\Users\Admin\AppData\Local\Temp\FF35.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\FF35.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\512.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\512.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2232-50-0x00007FFCCE820000-0x00007FFCCF2E1000-memory.dmp

memory/4508-52-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4508-53-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4508-54-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

MD5 4ecaa85091da1da1ab99b3d9d9814c45
SHA1 8aef9194afb1f116edae731544e1ab1199691f48
SHA256 eccab56ef7d3bbb5a672890438e159b4d166857cb3450fdc3f4b611e98f82ddf
SHA512 196d0283740be8fa2ac8bbaed974bf607e9d6cbf009e29dcf076790ee2408aa97f4eff36d68d79e7508b6efb1da531c1cb752c3850596ae2ed5aa400b2861ebb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ah2ja0wu.exe

MD5 4ecaa85091da1da1ab99b3d9d9814c45
SHA1 8aef9194afb1f116edae731544e1ab1199691f48
SHA256 eccab56ef7d3bbb5a672890438e159b4d166857cb3450fdc3f4b611e98f82ddf
SHA512 196d0283740be8fa2ac8bbaed974bf607e9d6cbf009e29dcf076790ee2408aa97f4eff36d68d79e7508b6efb1da531c1cb752c3850596ae2ed5aa400b2861ebb

C:\Users\Admin\AppData\Local\Temp\9A7.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/4508-55-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A7.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/1176-63-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEA.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/1992-66-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1176-74-0x00000000020D0000-0x000000000212A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12FF.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

MD5 3ab416f9d645b5622e440fe7e360f31a
SHA1 b6927ba1d6597c0362bf59c90535a7464c49f399
SHA256 6e278a0296548ca49fac2fd8db0caab0f970d9aef8bab8398607da790d233b33
SHA512 bb36d62948b3c14eff2e4c3462d34aa2eb7e957afef4953ba116cf60e99e73bea2a7d67da49771e1eceaf71510801541a349e47c38c87ba36949c4239303f080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VF2bZ0Zv.exe

MD5 3ab416f9d645b5622e440fe7e360f31a
SHA1 b6927ba1d6597c0362bf59c90535a7464c49f399
SHA256 6e278a0296548ca49fac2fd8db0caab0f970d9aef8bab8398607da790d233b33
SHA512 bb36d62948b3c14eff2e4c3462d34aa2eb7e957afef4953ba116cf60e99e73bea2a7d67da49771e1eceaf71510801541a349e47c38c87ba36949c4239303f080

memory/3536-84-0x0000000000710000-0x0000000000868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12FF.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/3536-92-0x0000000000710000-0x0000000000868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

C:\Users\Admin\AppData\Local\Temp\1840.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\1B5E.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\1B5E.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\1840.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\BEA.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq11lF0.exe

MD5 2e98020fbc0f1dc89be9ce2f3e00e7e0
SHA1 c597900b452bbde858cc0933174a2954b73955b0
SHA256 113040705909444011b665636c30e9a14d49b22bd909da870c9c79bf7d3d2030
SHA512 6d619e0bba701f873205b10d59a76b8543190630de9876e1999dae846cb899dd4f5c3ea9c6cea2b81cd90d4725b0452651cc2fa05c31d68efd136d0834a24bcf

memory/4892-104-0x00000000005E0000-0x000000000063A000-memory.dmp

memory/4892-106-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1296-111-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/3308-107-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2232-114-0x00007FFCCE820000-0x00007FFCCF2E1000-memory.dmp

memory/1992-116-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/3696-117-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/3536-118-0x0000000000710000-0x0000000000868000-memory.dmp

memory/4508-119-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/3308-126-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/1296-127-0x0000000000D30000-0x0000000000D8A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/3696-128-0x0000000000F70000-0x0000000000F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_3232_HMEORKLVKKFJSMGE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1808-147-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1808-148-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1808-151-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/2232-162-0x00007FFCCE820000-0x00007FFCCF2E1000-memory.dmp

memory/4508-163-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0e2afe61b933bfcda96407852fee103d
SHA1 8ca1a11cc215bfb46496154bf972583371d63a64
SHA256 87cd17ae78b1cc7ae231dba540ed3d33fd4e08d785ca895e0999aa5fa7369589
SHA512 945310997277662e3531105c07fd9c6f689747d9a9b0bffc7d187e271005eaf7220512f1926bd665f8512fb621bdbd21d42c20f34ea8461ac5fae0d6c4893324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 16eb7fb0161b8267970de5f6792c438f
SHA1 5b11bcd222ed2ee8bd0c820b525809dac0a5876c
SHA256 180de6ad95bf64d319ee02e0b394ac3dc59a31c6cbdac6c56ec22101ad848c5e
SHA512 7c621a45636c8aba8c4fc5b3569c65c662a354ab08c4af31fadb4042d918acdd5d12189c6b4ec97d8d4786cd6bef920a52fba89e96d20251ba1ab47852ebdedc

memory/3308-191-0x0000000007E50000-0x00000000083F4000-memory.dmp

memory/3308-192-0x0000000007990000-0x0000000007A22000-memory.dmp

memory/3696-193-0x0000000005F30000-0x0000000006548000-memory.dmp

memory/3696-194-0x00000000057F0000-0x0000000005802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3696-198-0x0000000005850000-0x000000000588C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1992-203-0x00000000078F0000-0x0000000007900000-memory.dmp

memory/1296-199-0x0000000005630000-0x0000000005640000-memory.dmp

memory/3308-209-0x0000000007AE0000-0x0000000007AF0000-memory.dmp

memory/1992-208-0x0000000007640000-0x000000000764A000-memory.dmp

memory/3696-214-0x0000000005890000-0x00000000058DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3696-218-0x0000000005900000-0x0000000005910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1296-215-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/1296-219-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ue866rX.exe

MD5 6d9bb2a5d13add66a48eb1e912c5d17e
SHA1 bd337b1ceefa2151f338e80dda214f52b82a8916
SHA256 625339778d8ec2234ffc4b6b6220f8255a710cf57ac549a0e589e754ffc5d7dd
SHA512 4bc8efe20bb9090f6f9ba4319248b40c5fbd208dad58456290f83a613b699f9c056bcb73776fb13957f921fb24a9206b560803c8932d03b487f98ca09396abda

memory/5448-248-0x0000000000D60000-0x0000000000D9E000-memory.dmp

memory/1992-249-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/3696-269-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/5448-278-0x0000000072B80000-0x0000000073330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ue866rX.exe

MD5 6d9bb2a5d13add66a48eb1e912c5d17e
SHA1 bd337b1ceefa2151f338e80dda214f52b82a8916
SHA256 625339778d8ec2234ffc4b6b6220f8255a710cf57ac549a0e589e754ffc5d7dd
SHA512 4bc8efe20bb9090f6f9ba4319248b40c5fbd208dad58456290f83a613b699f9c056bcb73776fb13957f921fb24a9206b560803c8932d03b487f98ca09396abda

memory/3308-279-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/5448-280-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/1296-283-0x0000000008710000-0x0000000008776000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4165c94329bea9e8578cdcad2c8f93bf
SHA1 edccf2a99703785123d4d82e43ab47f36b802c9f
SHA256 a683d11342e38956fcc3e4f9dbe68e362654975d598c6d5aff57ffabcdb9f71c
SHA512 3256270a94b39b4eb4a5287bbf927976a10d957877a7ca20e06c5a31259ede0d92dd7dc226f86ee361cf0c999496e119615e70915d30eb5a47056e50cdc0decd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4165c94329bea9e8578cdcad2c8f93bf
SHA1 edccf2a99703785123d4d82e43ab47f36b802c9f
SHA256 a683d11342e38956fcc3e4f9dbe68e362654975d598c6d5aff57ffabcdb9f71c
SHA512 3256270a94b39b4eb4a5287bbf927976a10d957877a7ca20e06c5a31259ede0d92dd7dc226f86ee361cf0c999496e119615e70915d30eb5a47056e50cdc0decd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1535e6d231740c682ae9ebb4ccf79893
SHA1 83bfa21e35493df03d2fae98bf6b19fef6c3e426
SHA256 0566e348cee0a4969134a2681e620b9c951089b44e9807229f09a822f3c12173
SHA512 2489bbd986dd1973561200ac30fce4173f319f9e760970981381da74ecd30a6e850ac3147b15f7f6a76261b7ff9429e7d755dd0a6ad4a2a01382f828bdebe06d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 16eb7fb0161b8267970de5f6792c438f
SHA1 5b11bcd222ed2ee8bd0c820b525809dac0a5876c
SHA256 180de6ad95bf64d319ee02e0b394ac3dc59a31c6cbdac6c56ec22101ad848c5e
SHA512 7c621a45636c8aba8c4fc5b3569c65c662a354ab08c4af31fadb4042d918acdd5d12189c6b4ec97d8d4786cd6bef920a52fba89e96d20251ba1ab47852ebdedc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

\??\pipe\LOCAL\crashpad_1404_THBRODKXLJLCLESY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1296-364-0x0000000005630000-0x0000000005640000-memory.dmp

memory/1992-365-0x00000000078F0000-0x0000000007900000-memory.dmp

memory/3308-366-0x0000000007AE0000-0x0000000007AF0000-memory.dmp

memory/1296-374-0x000000000ABD0000-0x000000000AC20000-memory.dmp

memory/1296-376-0x000000000ACA0000-0x000000000AD16000-memory.dmp

memory/3696-375-0x0000000005900000-0x0000000005910000-memory.dmp

memory/5448-389-0x0000000072B80000-0x0000000073330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 16eb7fb0161b8267970de5f6792c438f
SHA1 5b11bcd222ed2ee8bd0c820b525809dac0a5876c
SHA256 180de6ad95bf64d319ee02e0b394ac3dc59a31c6cbdac6c56ec22101ad848c5e
SHA512 7c621a45636c8aba8c4fc5b3569c65c662a354ab08c4af31fadb4042d918acdd5d12189c6b4ec97d8d4786cd6bef920a52fba89e96d20251ba1ab47852ebdedc

memory/3696-406-0x0000000006DE0000-0x0000000006FA2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f508f8b3e512d03ab1c6a086ec9f21cb
SHA1 9642e6bdf61116527dbb303ffcada83b5f7b9032
SHA256 b692220d30a799800a44ec919fbec8b41b44297099195d3fcdf4cbbeb8e8812f
SHA512 6119cec1c57dc724f34e3f76c9ff91e2dac4dff3e717bb5b40c8e83be1ed68b10cfe2c006b15bc93cccb4c7474fd973429d62cba8c17bccee836531304a865ea

memory/3696-409-0x00000000074E0000-0x0000000007A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 6bab470ce4335b3ff597eb46b09ecaef
SHA1 52243169a436d19fbcc067c8573ff51ddcf64d3c
SHA256 5fefff1474f920d59b71764ab67e078096f26e51938f9b123bea592400793324
SHA512 453dcb6ad5bf87a16d8399c5079e33933914305ff8e53b5b3325d6392c16564d88fe36195fec134ab25a11b7c7a40b7f4679f3ec981959704140f08192dc9a5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 700ccab490f0153b910b5b6759c0ea82
SHA1 17b5b0178abcd7c2f13700e8d74c2a8c8a95792a
SHA256 9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876
SHA512 0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 8bea29903e8332f44bd71a6dd04b6aef
SHA1 d792bc172c8d3f44dbf4f2142af2f1af4ef4857b
SHA256 54bfa7e4c1a23aff46b6f6db1c660e68a6f3d8c7d469ac6547b4f485fcf0e066
SHA512 681f29ffb7a8c571a2e5962f5cdc71e6980eae5e3754ffc7cece4d7fac31d9ef13345bc047297c46dfe557a45e4592937f01e01832cccd0cdd1a0276b23bd4fe

memory/5448-429-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 7e2a819601bdb18df91d434ca4d95976
SHA1 94c8d876f9e835b82211d1851314c43987290654
SHA256 7da655bf7ac66562215c863212e7225e1d3485e47e4c2d3c09faac7f78999db1
SHA512 1ca1d95cc91cb06a22b8d30a970c254e334db7ff6bad255333bac2adc83c98735ec9c43bccf9c46514664d449a43d2586d38a45970338655244e754d2a87a83e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Temp\tmp91FB.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp9220.tmp

MD5 6e98ae51f6cacb49a7830bede7ab9920
SHA1 1b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA512 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b

C:\Users\Admin\AppData\Local\Temp\tmp926B.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp9296.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp92C1.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp9280.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 358e1024cba836d34c55d954df09afa3
SHA1 40f4483aac239550f916b2f9245165298f9dc202
SHA256 077ebd8adb95c82476d8592530f570bf6c4c0c8e0109746468ad408b9629b857
SHA512 c439966ee5a3549a03620b36d4d493f99891b2593d77ec6cca7ffcb8ea794af3e3747f2cc0f94d7af474f77784d418e74acf7864008c193b0250dcd04cdcb0e2

memory/3696-603-0x0000000007B30000-0x0000000007B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2c58271b9e595f495eff95fc850c7894
SHA1 b3a579d2ef1098a4f61be43c5bbfef6b1b88c147
SHA256 28587145272cfa5d407151a0cde9d8a3047ce6e30d0a97158108fab555514499
SHA512 6fa1570953ea9a629513b8567a19111d60127ba157223b86717f592d1e9a165a6fa615d76b878ffb9bbaaaf639e9b3ca6fe1bbe0e23685c5a5f46df65a977ca5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b5ed.TMP

MD5 8fe6a26bd3b5916e6dc0dab27e664018
SHA1 37d533c37af2c333fe350d5c36564919a8505e4d
SHA256 ffed7546e4f472ab98c9cd878dcb2f70852189e25ea06e60ab9485ef94376cda
SHA512 1889376a70a8ccad921a93e3ffc707a3c2c579f26f4be6be8697831bb4cf75828d2f75baf6b3f22c32f1cf11ba7eb73a65385a7eecc914d71df851b73c44a606

memory/3308-654-0x0000000072B80000-0x0000000073330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8665e9f88f1189a9b1d51fdb8f376969
SHA1 8c2fdfefefba3cb94605504c6d0f7675d8163a79
SHA256 c02088d9a9e922071594febfe4559e45e3890cf4b137b205af3f44f2def94003
SHA512 6d0d40ebee9c738595d6c79ee6bbe3018b5567714dce62c2c1ef6cc42dc68850fefa76492508b10e2e139ae5a0437860bfedfb19e9fe31cb870f3d18e951b33f

memory/1296-683-0x0000000072B80000-0x0000000073330000-memory.dmp

memory/3696-685-0x0000000072B80000-0x0000000073330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e37bde804895e3ef32dbf2f7f6ad5ab2
SHA1 83ac4950bed2d27166f8f98e4973cf16b64187bf
SHA256 d098c97309ac12e90038528547e1e437f1d1ebb0a9b2535de014cd21a1c011ad
SHA512 99acd8e5983848dadf9fc71ab3ec1e43025d98b8f4891e8441e6f7c811dbfbf244763926b871b13761632893dbc1a949045a867715760d206300089a2dbd78bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 df8eee0b87b21262f7d03ca760f88d63
SHA1 0755041d1db4f4385212b0e0a32325ff47ca782a
SHA256 576778bbabe99c27c607d03d899f07ec583bb588848adc3f504f0e422f86c1f8
SHA512 226b00ba17c94fbcb13104b507e7532a09e12f51142e1108671c169500d9454c427fa3ba25a620b5842cb821327c39057ee03c7dc329247186c392a742010935

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2e738646ab255ec1b51ddfef3462f4d9
SHA1 97c3077be9aaa8f7557eabdf472d5ac641c4856a
SHA256 8ef1743c8ad2b5fab3c7fe34dcc8e34bcea69ccd328f36c71ce21e3c85a71d5d
SHA512 3fef50ed3cbc1e8abef2a1ccc36082a85eb351cd47eafabdaed4abb4e74a65269327c2e9370660cef1d51601ba6c2affb3de70bb58c5dd0c06fe476dde8ce54b

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2e65d036e85d606a323c99f2312877be
SHA1 7c81d8790a97619df2e253cdde8825ef48cfb781
SHA256 77d7e42e7a8857e90af7773336fa1e4aa38596a2e424bd73c602824c8d08ceb4
SHA512 37e0ffa3501853d6f5c2a283fde75db84decf230593676e23a8f302ba378cb9e85788fc57536ead89ab522d3b25c68e4d5153b96a264a3a68c4eee5b4429895a