Malware Analysis Report

2025-08-10 23:42

Sample ID 231011-y5kaqsdb63
Target c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a
SHA256 1f0b6cec5e0308450874c33258375b92d3738f00aa14943d37aa0a90c84968ef
Tags
amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f0b6cec5e0308450874c33258375b92d3738f00aa14943d37aa0a90c84968ef

Threat Level: Known bad

The file c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing

DcRat

RedLine

Amadey

Healer

SmokeLoader

SectopRAT payload

Detects Healer an antivirus disabler dropper

SectopRAT

RedLine payload

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Modifies system certificate store

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:22

Reported

2023-10-12 14:59

Platform

win7-20230831-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\628E.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6722.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\628E.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D20E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\96AC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\96AC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\96AC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\96AC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\628E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96AC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CFA9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C08B.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6C80.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6722.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe
PID 1280 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D395.exe
PID 1280 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D395.exe
PID 1280 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D395.exe
PID 1280 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D395.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D20E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2588 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 1708 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 1708 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 1708 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 1708 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe

"C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 60

C:\Users\Admin\AppData\Local\Temp\D20E.exe

C:\Users\Admin\AppData\Local\Temp\D20E.exe

C:\Users\Admin\AppData\Local\Temp\D395.exe

C:\Users\Admin\AppData\Local\Temp\D395.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 48

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 36

C:\Users\Admin\AppData\Local\Temp\590C.exe

C:\Users\Admin\AppData\Local\Temp\590C.exe

C:\Users\Admin\AppData\Local\Temp\628E.exe

C:\Users\Admin\AppData\Local\Temp\628E.exe

C:\Users\Admin\AppData\Local\Temp\6444.exe

C:\Users\Admin\AppData\Local\Temp\6444.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\6722.exe

C:\Users\Admin\AppData\Local\Temp\6722.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 48

C:\Users\Admin\AppData\Local\Temp\6C80.exe

C:\Users\Admin\AppData\Local\Temp\6C80.exe

C:\Users\Admin\AppData\Local\Temp\96AC.exe

C:\Users\Admin\AppData\Local\Temp\96AC.exe

C:\Users\Admin\AppData\Local\Temp\A750.exe

C:\Users\Admin\AppData\Local\Temp\A750.exe

C:\Users\Admin\AppData\Local\Temp\C08B.exe

C:\Users\Admin\AppData\Local\Temp\C08B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\CFA9.exe

C:\Users\Admin\AppData\Local\Temp\CFA9.exe

C:\Users\Admin\AppData\Local\Temp\DB1F.exe

C:\Users\Admin\AppData\Local\Temp\DB1F.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {489B209F-6710-430D-A838-FD0DB5E71FE5} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
MD 176.123.9.142:37637 tcp
IT 185.196.9.65:80 tcp
BG 171.22.28.202:16706 tcp
TR 185.216.70.238:37515 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp
FI 77.91.124.1:80 77.91.124.1 tcp

Files

memory/1700-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1700-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1700-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1700-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1700-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1280-5-0x0000000002750000-0x0000000002766000-memory.dmp

memory/1700-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D20E.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\D20E.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\D395.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\D395.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\D20E.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\D395.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\D395.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\D395.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\D395.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\590C.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\590C.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\628E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\628E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1060-95-0x0000000000080000-0x000000000008A000-memory.dmp

memory/1060-97-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\6444.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\6444.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\6722.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\6722.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1188-114-0x00000000004D0000-0x00000000004D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1060-126-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

\Users\Admin\AppData\Local\Temp\590C.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

\Users\Admin\AppData\Local\Temp\590C.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

\Users\Admin\AppData\Local\Temp\590C.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\6C80.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\6C80.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/608-135-0x0000000000400000-0x000000000046F000-memory.dmp

memory/608-137-0x0000000000230000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96AC.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\96AC.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\A750.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/608-150-0x0000000000400000-0x000000000046F000-memory.dmp

memory/272-151-0x0000000000940000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C08B.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\C08B.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2912-157-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2948-160-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2948-163-0x0000000000080000-0x00000000000BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CFA9.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2948-171-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/272-173-0x0000000000940000-0x0000000000A98000-memory.dmp

\Users\Admin\AppData\Local\Temp\590C.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\CFA9.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2948-177-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2948-178-0x0000000000080000-0x00000000000BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C08B.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\6C80.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/308-182-0x0000000000B30000-0x0000000000B8A000-memory.dmp

memory/780-181-0x0000000000B10000-0x0000000000B2E000-memory.dmp

\Users\Admin\AppData\Local\Temp\DB1F.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

C:\Users\Admin\AppData\Local\Temp\DB1F.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/780-188-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/308-189-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2948-190-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/608-191-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2912-192-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2912-193-0x0000000000400000-0x000000000046F000-memory.dmp

memory/608-194-0x0000000007130000-0x0000000007170000-memory.dmp

memory/2912-195-0x00000000071C0000-0x0000000007200000-memory.dmp

memory/2948-196-0x00000000074E0000-0x0000000007520000-memory.dmp

memory/780-197-0x0000000000630000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1D7.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar228.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1060-236-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

memory/780-237-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2472-238-0x000000013F020000-0x000000013F31F000-memory.dmp

memory/308-239-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2948-240-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/608-241-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2912-242-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2912-248-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/608-247-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/3028-246-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/3028-244-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/3028-249-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2472-251-0x000000013F020000-0x000000013F31F000-memory.dmp

memory/3028-253-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/3028-252-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/308-254-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/3028-255-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/308-256-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2948-257-0x00000000074E0000-0x0000000007520000-memory.dmp

memory/780-258-0x0000000000630000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2E91.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp2EC6.tmp

MD5 9c3d41e4722dcc865c20255a59633821
SHA1 f3d6bb35f00f830a21d442a69bc5d30075e0c09b
SHA256 8a9827a58c3989200107213c7a8f6bc8074b6bd0db04b7f808bd123d2901972d
SHA512 55f0e7f0b42b21a0f27ef85366ccc5aa2b11efaad3fddb5de56207e8a17ee7077e7d38bde61ab53b96fae87c1843b57c3f79846ece076a5ab128a804951a3e14

memory/780-352-0x0000000072BF0000-0x00000000732DE000-memory.dmp

memory/2948-353-0x0000000072BF0000-0x00000000732DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:22

Reported

2023-10-12 15:01

Platform

win10v2004-20230915-en

Max time kernel

169s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\349D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3847.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1306.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2C20.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3847.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3224 wrote to memory of 3612 N/A N/A C:\Users\Admin\AppData\Local\Temp\1306.exe
PID 3224 wrote to memory of 3612 N/A N/A C:\Users\Admin\AppData\Local\Temp\1306.exe
PID 3224 wrote to memory of 3612 N/A N/A C:\Users\Admin\AppData\Local\Temp\1306.exe
PID 3612 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1306.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 3612 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1306.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 3612 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1306.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 3224 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe
PID 3224 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe
PID 3224 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe
PID 3728 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 3728 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 3728 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 3224 wrote to memory of 1508 N/A N/A C:\Windows\system32\cmd.exe
PID 3224 wrote to memory of 1508 N/A N/A C:\Windows\system32\cmd.exe
PID 3224 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\25B6.exe
PID 3224 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\25B6.exe
PID 3224 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\25B6.exe
PID 4580 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 4580 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 4580 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 4256 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 4256 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 4256 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3224 wrote to memory of 1164 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C20.exe
PID 3224 wrote to memory of 1164 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C20.exe
PID 2824 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2824 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2824 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 3224 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\349D.exe
PID 3224 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\349D.exe
PID 3224 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\349D.exe
PID 3224 wrote to memory of 828 N/A N/A C:\Users\Admin\AppData\Local\Temp\3847.exe
PID 3224 wrote to memory of 828 N/A N/A C:\Users\Admin\AppData\Local\Temp\3847.exe
PID 3224 wrote to memory of 828 N/A N/A C:\Users\Admin\AppData\Local\Temp\3847.exe
PID 1508 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 1096 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BF2.exe
PID 3224 wrote to memory of 1096 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BF2.exe
PID 3224 wrote to memory of 1096 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BF2.exe
PID 3224 wrote to memory of 3288 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E16.exe
PID 3224 wrote to memory of 3288 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E16.exe
PID 3224 wrote to memory of 3288 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E16.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1112 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1A5A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3224 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Temp\42E9.exe
PID 3224 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Temp\42E9.exe
PID 3224 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Temp\42E9.exe
PID 3224 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\Temp\46C2.exe
PID 3224 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\Temp\46C2.exe
PID 3224 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\Temp\46C2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe

"C:\Users\Admin\AppData\Local\Temp\c5e7a9c1f0d612b23cb275666895f668936b2f1451e989843b922cc04875cd6a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 224

C:\Users\Admin\AppData\Local\Temp\1306.exe

C:\Users\Admin\AppData\Local\Temp\1306.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\1A5A.exe

C:\Users\Admin\AppData\Local\Temp\1A5A.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2383.bat" "

C:\Users\Admin\AppData\Local\Temp\25B6.exe

C:\Users\Admin\AppData\Local\Temp\25B6.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\2C20.exe

C:\Users\Admin\AppData\Local\Temp\2C20.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\349D.exe

C:\Users\Admin\AppData\Local\Temp\349D.exe

C:\Users\Admin\AppData\Local\Temp\3847.exe

C:\Users\Admin\AppData\Local\Temp\3847.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\3BF2.exe

C:\Users\Admin\AppData\Local\Temp\3BF2.exe

C:\Users\Admin\AppData\Local\Temp\3E16.exe

C:\Users\Admin\AppData\Local\Temp\3E16.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1112 -ip 1112

C:\Users\Admin\AppData\Local\Temp\42E9.exe

C:\Users\Admin\AppData\Local\Temp\42E9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 260

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\46C2.exe

C:\Users\Admin\AppData\Local\Temp\46C2.exe

C:\Users\Admin\AppData\Local\Temp\49C1.exe

C:\Users\Admin\AppData\Local\Temp\49C1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8728d46f8,0x7ff8728d4708,0x7ff8728d4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1660 -ip 1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8728d46f8,0x7ff8728d4708,0x7ff8728d4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1336 -ip 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4708 -ip 4708

C:\Users\Admin\AppData\Local\Temp\5328.exe

C:\Users\Admin\AppData\Local\Temp\5328.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1556,10678839986246091549,8254969742572507150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,10678839986246091549,8254969742572507150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=46C2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8728d46f8,0x7ff8728d4708,0x7ff8728d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=46C2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8728d46f8,0x7ff8728d4708,0x7ff8728d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3BF2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3BF2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8728d46f8,0x7ff8728d4708,0x7ff8728d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8728d46f8,0x7ff8728d4708,0x7ff8728d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14790964959297478298,15617080765787167237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\hfjtssh

C:\Users\Admin\AppData\Roaming\hfjtssh

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 161.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
RU 5.42.92.211:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 84.53.175.81:443 mdec.nelreports.net tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 52.210.125.129:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.175.53.84.in-addr.arpa udp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 129.125.210.52.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
IE 52.210.125.129:443 mscom.demdex.net tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
IE 52.210.125.129:443 mscom.demdex.net tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
IE 52.210.125.129:443 mscom.demdex.net tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

memory/2864-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2864-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3224-2-0x0000000002850000-0x0000000002866000-memory.dmp

memory/2864-4-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1306.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\1306.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\1A5A.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\1A5A.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\2383.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\25B6.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\25B6.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

memory/1164-63-0x00000000006B0000-0x00000000006BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\2C20.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\2C20.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\349D.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1164-71-0x00007FF874D80000-0x00007FF875841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\349D.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\3847.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\3847.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\3BF2.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\3E16.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\3BF2.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/3200-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3200-84-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3200-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3200-90-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1096-92-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1096-93-0x0000000001F80000-0x0000000001FDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E16.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/4552-99-0x0000000000250000-0x00000000003A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42E9.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\42E9.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\46C2.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\49C1.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\49C1.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\46C2.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2856-113-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4708-117-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4708-120-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4996-119-0x00000000020D0000-0x000000000212A000-memory.dmp

memory/4708-123-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4996-118-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc1545f40e709a9447a266260fdc751e
SHA1 8afed6d761fb82c918c1d95481170a12fe94af51
SHA256 3dadfc7e0bd965d4d61db057861a84761abf6af17b17250e32b7450c1ddc4d48
SHA512 ed0ae5280736022a9ef6c5878bf3750c2c5473cc122a4511d3fb75eb6188a2c3931c8fa1eaa01203a7748f323ed73c0d2eb4357ac230d14b65d18ac2727d020f

memory/4552-126-0x0000000000250000-0x00000000003A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5328.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/1164-131-0x00007FF874D80000-0x00007FF875841000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4248-137-0x0000000000A20000-0x0000000000A5E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

\??\pipe\LOCAL\crashpad_2852_GHQTAMBPNHSFDZTR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4552-157-0x0000000000250000-0x00000000003A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3f80761bcc8ea79443fe1dc76ca32b66
SHA1 2c061d42f78d3f141c097080115aa95f69b7c174
SHA256 5c7cd22efa3df20f9c0959451313aece343f4b83af50ef49f5e34b923fe0dbcb
SHA512 340451bf7d47f1d7f325b5de59dad4707d6c0ca6fdaafa554e61629bc5ef9531ef4bb88668588267351ef03af11ea44ffef9dc3ec56864ae571966fe8cd9361f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

\??\pipe\LOCAL\crashpad_4656_KMSJOPSDONMBFKEW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1164-191-0x00007FF874D80000-0x00007FF875841000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46bf83efdc28df1cd97621bea3096399
SHA1 55f9a0d42a326c70af69ea377646159691c36197
SHA256 b4cc199804fa7ac8ab957429b56ab908e5dfd48a20a7d8663d74127772951bdf
SHA512 837c844463af26f99f9a7b959e0c7c0942bab8467b680980c1f00f356bf7ac41ffe5a17f888480e10bc6883ef00338a2aab4da792bc2a4aaafee9c300156a7d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\48dcceb8-91f9-445f-b2a6-3326af2b191d.tmp

MD5 0269577d7c8e0850527a7ea8cc12cd3c
SHA1 2070c8d88d4ee330d2e20797c4411e889b14cc55
SHA256 73d024086080e69ea6857b8ab73984381799a9882d73ef4ea3a4844adbc3cf0a
SHA512 d32e1781150b71a1f886d4083787f2a5550854358117a0e40ec7a4b92d933cf76574893b909641462c93aad3e53de0ac9c537e424e0ffe9448d9e607b2fbe8a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46bf83efdc28df1cd97621bea3096399
SHA1 55f9a0d42a326c70af69ea377646159691c36197
SHA256 b4cc199804fa7ac8ab957429b56ab908e5dfd48a20a7d8663d74127772951bdf
SHA512 837c844463af26f99f9a7b959e0c7c0942bab8467b680980c1f00f356bf7ac41ffe5a17f888480e10bc6883ef00338a2aab4da792bc2a4aaafee9c300156a7d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c780c5caf3b77cd6c81e0b52fc0730d6
SHA1 726b60d81ceb7c088cfa9b90a61d4363bfe23f9f
SHA256 0f5e43191a657d2e39306e8a32f13eda07d756b061976cedf2ff8c37b9c01513
SHA512 9d7a3f131e5e5cc4a24ea32e3323d44ce13b3befb9d4ca01b65916fd0f5b5c471474fe64a99b9a11ee20bf88b5710137a41d1b9b064c792dd6e40bf169e0b105

memory/4772-223-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/6132-225-0x00000000003B0000-0x00000000003E3000-memory.dmp

memory/4484-226-0x00007FF6988D0000-0x00007FF698BCF000-memory.dmp

memory/6132-228-0x00000000003B0000-0x00000000003E3000-memory.dmp

memory/6132-229-0x00000000003B0000-0x00000000003E3000-memory.dmp

memory/3200-230-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6132-231-0x00000000003B0000-0x00000000003E3000-memory.dmp

memory/3288-232-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/2856-235-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/4248-236-0x0000000072570000-0x0000000072D20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 15ad31a14e9a92d2937174141e80c28d
SHA1 b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256 bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512 ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0269577d7c8e0850527a7ea8cc12cd3c
SHA1 2070c8d88d4ee330d2e20797c4411e889b14cc55
SHA256 73d024086080e69ea6857b8ab73984381799a9882d73ef4ea3a4844adbc3cf0a
SHA512 d32e1781150b71a1f886d4083787f2a5550854358117a0e40ec7a4b92d933cf76574893b909641462c93aad3e53de0ac9c537e424e0ffe9448d9e607b2fbe8a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7584fdc789259fd1d702893a82cfcfbc
SHA1 9c5c391208029703034e2cc29fb4ecc0d3df37d6
SHA256 119de38e87eb656a0e58c5c61824b430edea9eaf6cb1f55d1c1cf3daec140580
SHA512 5dcedb5a158f71fe40df0a34f3bb19cabeaffeddefab696f777280ff8cf0446b8c4979ea516bc81632a1389a1b38fac39a3f98d9b1813232d940ad54aca9fbaa

memory/4772-263-0x0000000000790000-0x00000000007EA000-memory.dmp

memory/3288-262-0x00000000000A0000-0x00000000000BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

MD5 0e19769e1f0bb8e5ad0a561189fa67d8
SHA1 e96e111d73329225611a553118878ddc92816230
SHA256 4878678d86879b014280fb0c1479968f25d50e2aeadc30ef1e306ec58d06fbeb
SHA512 e52ff5acc44ca82700927292f33c1c098c67e7196bff5712020ca459ff65fdb44d9ce36a0fbbc98f782b30247ff81ebd62815db9c291af8aebbc44e73a889bcf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

MD5 0e19769e1f0bb8e5ad0a561189fa67d8
SHA1 e96e111d73329225611a553118878ddc92816230
SHA256 4878678d86879b014280fb0c1479968f25d50e2aeadc30ef1e306ec58d06fbeb
SHA512 e52ff5acc44ca82700927292f33c1c098c67e7196bff5712020ca459ff65fdb44d9ce36a0fbbc98f782b30247ff81ebd62815db9c291af8aebbc44e73a889bcf

memory/4492-286-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/4492-287-0x0000000000A70000-0x0000000000AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3288-351-0x0000000004FF0000-0x0000000005608000-memory.dmp

memory/4492-350-0x0000000007D30000-0x00000000082D4000-memory.dmp

memory/3288-352-0x0000000004920000-0x0000000004932000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4492-355-0x0000000007820000-0x00000000078B2000-memory.dmp

memory/3288-358-0x0000000004980000-0x00000000049BC000-memory.dmp

memory/2856-359-0x0000000005560000-0x0000000005570000-memory.dmp

memory/4492-360-0x00000000077D0000-0x00000000077E0000-memory.dmp

memory/3288-362-0x00000000049D0000-0x0000000004A1C000-memory.dmp

memory/4248-364-0x00000000076E0000-0x00000000076F0000-memory.dmp

memory/4492-363-0x00000000079F0000-0x00000000079FA000-memory.dmp

memory/4772-365-0x0000000007710000-0x0000000007720000-memory.dmp

memory/3288-361-0x00000000049C0000-0x00000000049D0000-memory.dmp

memory/4772-366-0x0000000007920000-0x0000000007A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4772-385-0x0000000008120000-0x0000000008186000-memory.dmp

memory/4772-420-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/3288-421-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/2856-422-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/4248-423-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/4492-430-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/2856-431-0x0000000005560000-0x0000000005570000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a0b1ce4a54cb4fd1bd0e07bc87aebb0d
SHA1 ca839c7f657cc173ba62517453772036545135d1
SHA256 25c424ef4a6f15098fff4ca6f30cb1fdf9962a6541bc639d8991ddb63e188fda
SHA512 131d1ac1d44ca8ab44c1f335982fd28ca071b0a149bd7242930422ebacddaeae88b56a23d80d069db5100c956bf3a8b61c10dec9a1b1c2fff87a8f7741ce1f77

memory/4492-441-0x00000000077D0000-0x00000000077E0000-memory.dmp

memory/4248-442-0x00000000076E0000-0x00000000076F0000-memory.dmp

memory/4772-443-0x0000000007710000-0x0000000007720000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e2f96b632f60c0587481b443c13cd4f7
SHA1 c17aa03aaffe059bc61ab23c0bd555d229b7ab3b
SHA256 18b1c98ccee9389a108e178c1890ffe938ef2b62d0aa9a7a865154f705a37471
SHA512 82a899618a9547c043f4756cd409a4462576f191fb40a94c381ca1019c58fdd5e34fb87e5ddcfbce2e51b94bd298c14cde7c6030122c2ff3829b94da5b545fbb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590a08.TMP

MD5 b5703dd0ceedac74acefe99ecfa2c1e9
SHA1 1fca5646f1e2b51308a2e0b1316f23fb68f3d248
SHA256 201bd8c716537e5bb86b2c0dde99f9bfdc4cc6ed436a387f9a6ca7984ec95714
SHA512 27c4d7ad553721798cd1662d1fce2125338effc1b528b6f376683f2a3ff52e7151cb8883ca3a9ac8b84a2cdc32eb9b54e453d48fe6f92910d956aa8c98f06efd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 700ccab490f0153b910b5b6759c0ea82
SHA1 17b5b0178abcd7c2f13700e8d74c2a8c8a95792a
SHA256 9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876
SHA512 0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 6bab470ce4335b3ff597eb46b09ecaef
SHA1 52243169a436d19fbcc067c8573ff51ddcf64d3c
SHA256 5fefff1474f920d59b71764ab67e078096f26e51938f9b123bea592400793324
SHA512 453dcb6ad5bf87a16d8399c5079e33933914305ff8e53b5b3325d6392c16564d88fe36195fec134ab25a11b7c7a40b7f4679f3ec981959704140f08192dc9a5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 8bea29903e8332f44bd71a6dd04b6aef
SHA1 d792bc172c8d3f44dbf4f2142af2f1af4ef4857b
SHA256 54bfa7e4c1a23aff46b6f6db1c660e68a6f3d8c7d469ac6547b4f485fcf0e066
SHA512 681f29ffb7a8c571a2e5962f5cdc71e6980eae5e3754ffc7cece4d7fac31d9ef13345bc047297c46dfe557a45e4592937f01e01832cccd0cdd1a0276b23bd4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 7e2a819601bdb18df91d434ca4d95976
SHA1 94c8d876f9e835b82211d1851314c43987290654
SHA256 7da655bf7ac66562215c863212e7225e1d3485e47e4c2d3c09faac7f78999db1
SHA512 1ca1d95cc91cb06a22b8d30a970c254e334db7ff6bad255333bac2adc83c98735ec9c43bccf9c46514664d449a43d2586d38a45970338655244e754d2a87a83e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

memory/3288-521-0x0000000005F10000-0x00000000060D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c8d00783a25ef14eab1d793061f9d2b1
SHA1 fff1b424e78ce970757102ac9f45444361da197e
SHA256 31817c799ea42de921738cbcd116f9142d52d2176edb7b2e08ade0d2eaa66cd7
SHA512 e10609884de489e0eb94272de11baf35e7fc0b77da9af3216b4d006b247a7678ce3d8279e56693b1c15551e8ce3182fbb841a87dc0c7d5d3f96932bbd9cf41c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 64e40a38b1c6acd837ccdfd6df137349
SHA1 81e3bf0f3ae9c21d883db5202ae8344562c9cb9a
SHA256 f597eaaf612b3087d5e24558ba71153ebd8ee8bb064e9624f1f8fe9706bad5ef
SHA512 a89c24731beb5552d38c1d153332c8b29810aa6404a530492fb781fb5968297da7cf5e2aa304e922dfea4fae969057ab7ca031f8644bb84efd5417d139cbc985

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de26eccc3458b09770959e0bf56a21f3
SHA1 515e6f14fcf8721bdd1e78649fb47859c7967f74
SHA256 9201bd49a34d62a9aa600a56e31104051d5f937cddfda781603f1383f7d3cc4f
SHA512 c51f8779164a54ef0ce4141b195a6f05d3237537efa583b5360f6873994912416903a3340a1ef48ba89bfd35b8f2b0268294577b9f78ed1bb52dbe212605f045

memory/3288-559-0x0000000006610000-0x0000000006B3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Temp\tmp7120.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp7155.tmp

MD5 02f8652ecec423d1ebd72ff3863579fe
SHA1 d9772bd7f3978dc302b44216d2e3a2d62e0b0544
SHA256 37c53e07bac027475dbc6122b2e105a431effa21c8e554f5c44e8652c8fa84b9
SHA512 c319907b9f0e8606e783a7f782c0d4241c3aedf5b783961c77f72feee94709c080569979ac5c005bc35aba65e9a4f1e37d658f4baac44b114b4c5234900c47a9

C:\Users\Admin\AppData\Local\Temp\tmp719F.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp71BB.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp71A5.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp7206.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/3288-727-0x00000000062D0000-0x0000000006346000-memory.dmp

memory/3288-728-0x00000000064F0000-0x000000000650E000-memory.dmp

memory/4772-729-0x0000000005080000-0x00000000050D0000-memory.dmp

memory/4248-756-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/4772-757-0x0000000072570000-0x0000000072D20000-memory.dmp

memory/3288-759-0x0000000072570000-0x0000000072D20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 acfa1723aa2b7c92b697114faa0d5d7a
SHA1 3f10548b36315a4373639052e8975dd81644244d
SHA256 a3213c77b8f13a85d6dc5a7cfbdd4e761ff117c24f279238634c319ebba5b1f6
SHA512 288af3520c718bddf069f5675c2cf62b47414c25a3a67303eadbe3f2b96850c292d22a636340b251816a2284854ecd225092490fc6af986a69bc027da2c4da15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2e65d036e85d606a323c99f2312877be
SHA1 7c81d8790a97619df2e253cdde8825ef48cfb781
SHA256 77d7e42e7a8857e90af7773336fa1e4aa38596a2e424bd73c602824c8d08ceb4
SHA512 37e0ffa3501853d6f5c2a283fde75db84decf230593676e23a8f302ba378cb9e85788fc57536ead89ab522d3b25c68e4d5153b96a264a3a68c4eee5b4429895a