Malware Analysis Report

2025-08-10 23:41

Sample ID 231011-y67sesdc75
Target 8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc
SHA256 8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc
Tags
amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc

Threat Level: Known bad

The file 8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing

Amadey

SmokeLoader

DcRat

Healer

RedLine

SectopRAT

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

SectopRAT payload

Downloads MZ/PE file

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:24

Reported

2023-10-12 15:07

Platform

win7-20230831-en

Max time kernel

152s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E87.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1AB8.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F23B.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403285036" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f6d5d81dfdd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c30000000002000000000010660000000100002000000033dde2962d02dcfdc3691c9d66155b219a1baaf3bb8f021481f5165457478024000000000e8000000002000020000000847d06af939fe897746cbcc60e79ace78e440caeaa3ede529df7216264e3793c90000000c00c44626015ecb3cb4fa532f1f9be4270984d8f36ce4a5c585d3a99d32d3b30ee9ac07e1f907c032c80cb54c0ea6786ae5e7d147c8f726437cffdcf205be4fc78a5ac82d110b42e475e4bc5c37ae29f671fb62810c98ce031bc6ff7f0ddcb62fada7eefbc70b91d2a9f4e33094ee36a0d401811eee081b2d371d3efff85d2da80a5c1769fe280a2027f7b58c2db54ef400000003a97e1b9828046f1d2c482e7e27c884c40b4ea5ac4f1fff7511d7edae39f19f2302c006fd3ae8d18bfbdaad7f2e0f72c9d6cb07fedd684d7591e8978cc9f97e5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFB73880-6910-11EE-9685-76A8121F2E0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000006ea2b454041de1033e434011b20728ef237b2707bd5f79b3feebdeee07002eea000000000e8000000002000020000000e170566545a7a31b25550489fc81bae0ae6d235a3169e13efd890f1a36a5e1e9200000004c427a87c724c9e2ecfab9f8eba0c8c022ba98e5dea564a9a483e358030c707340000000c45896393f06805df32a6b9438f608ebe9ab8929edecf9856d996125a64b3621dec4ca8a65172a10b819930c37c425d670f18b08fbff87b6ff7fd5738c905c06 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\5CE7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\5CE7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\5CE7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\5CE7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4F4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CE7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E155.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B7D5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3B81.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1AB8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe
PID 1264 wrote to memory of 1080 N/A N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe
PID 1264 wrote to memory of 1080 N/A N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe
PID 1264 wrote to memory of 1080 N/A N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe
PID 1264 wrote to memory of 1080 N/A N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe
PID 1264 wrote to memory of 3008 N/A N/A C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 3008 N/A N/A C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 3008 N/A N/A C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\F23B.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7AB.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7AB.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7AB.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7AB.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 2780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 3008 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3008 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3008 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1264 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F4.exe
PID 1264 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F4.exe
PID 1264 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F4.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe C:\Windows\SysWOW64\WerFault.exe
PID 1080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe C:\Windows\SysWOW64\WerFault.exe
PID 1080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe C:\Windows\SysWOW64\WerFault.exe
PID 1080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\F43F.exe C:\Windows\SysWOW64\WerFault.exe
PID 664 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe

"C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 52

C:\Users\Admin\AppData\Local\Temp\F23B.exe

C:\Users\Admin\AppData\Local\Temp\F23B.exe

C:\Users\Admin\AppData\Local\Temp\F43F.exe

C:\Users\Admin\AppData\Local\Temp\F43F.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F5D6.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

C:\Users\Admin\AppData\Local\Temp\F7AB.exe

C:\Users\Admin\AppData\Local\Temp\F7AB.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

C:\Users\Admin\AppData\Local\Temp\E87.exe

C:\Users\Admin\AppData\Local\Temp\E87.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 48

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 48

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

C:\Users\Admin\AppData\Local\Temp\4F4.exe

C:\Users\Admin\AppData\Local\Temp\4F4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 36

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1AB8.exe

C:\Users\Admin\AppData\Local\Temp\1AB8.exe

C:\Users\Admin\AppData\Local\Temp\3B81.exe

C:\Users\Admin\AppData\Local\Temp\3B81.exe

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

C:\Users\Admin\AppData\Local\Temp\6CB1.exe

C:\Users\Admin\AppData\Local\Temp\6CB1.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\B7D5.exe

C:\Users\Admin\AppData\Local\Temp\B7D5.exe

C:\Users\Admin\AppData\Local\Temp\E155.exe

C:\Users\Admin\AppData\Local\Temp\E155.exe

C:\Users\Admin\AppData\Local\Temp\ED77.exe

C:\Users\Admin\AppData\Local\Temp\ED77.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {AA87DA16-F981-40ED-8174-4C2EAE61DE89} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
MD 176.123.9.142:37637 tcp
BG 171.22.28.202:16706 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 fbsbx.com udp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
TR 185.216.70.238:37515 tcp
US 172.67.75.172:443 api.ip.sb tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp

Files

memory/2792-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2792-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2792-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2792-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2792-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2792-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1264-5-0x0000000002600000-0x0000000002616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F23B.exe

MD5 3811199cb90b54367f4fd272596a164f
SHA1 dab90355c745ecd3ce5cff579cdbaf3edbfc8cc1
SHA256 0283be1608e0eabb70b9f2fe4484c404d601f942ab7916a944b0e6e79f2fd779
SHA512 9aefc503e0629c019cad1bc336dcdc6768d950a045aa3b3fe5e2acc114b50539468a29f31d96f65300b68cc7f931f9b84ed8a8ad6677f7abdf52d1bd165e85e6

C:\Users\Admin\AppData\Local\Temp\F23B.exe

MD5 3811199cb90b54367f4fd272596a164f
SHA1 dab90355c745ecd3ce5cff579cdbaf3edbfc8cc1
SHA256 0283be1608e0eabb70b9f2fe4484c404d601f942ab7916a944b0e6e79f2fd779
SHA512 9aefc503e0629c019cad1bc336dcdc6768d950a045aa3b3fe5e2acc114b50539468a29f31d96f65300b68cc7f931f9b84ed8a8ad6677f7abdf52d1bd165e85e6

C:\Users\Admin\AppData\Local\Temp\F43F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

C:\Users\Admin\AppData\Local\Temp\F43F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

C:\Users\Admin\AppData\Local\Temp\F5D6.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\F5D6.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\F23B.exe

MD5 3811199cb90b54367f4fd272596a164f
SHA1 dab90355c745ecd3ce5cff579cdbaf3edbfc8cc1
SHA256 0283be1608e0eabb70b9f2fe4484c404d601f942ab7916a944b0e6e79f2fd779
SHA512 9aefc503e0629c019cad1bc336dcdc6768d950a045aa3b3fe5e2acc114b50539468a29f31d96f65300b68cc7f931f9b84ed8a8ad6677f7abdf52d1bd165e85e6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

MD5 2729ee9de498bb7fa65a77a06dd79395
SHA1 0bb316d9dde4dadee01abb0137e940c3ed990ce3
SHA256 b76e279fd34dadca8fe5f8dbb516efb1fd56e00d6e5a5c059dd238ffd5420043
SHA512 2882a74a6c1aa5f264e8351073e108dab2e547ef51e82a3cb02c8c28d9db43df30f1c2e703efa824c798bd316dad04a48fb09584de8cf10fd6aa8f06a0f9226d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

MD5 2729ee9de498bb7fa65a77a06dd79395
SHA1 0bb316d9dde4dadee01abb0137e940c3ed990ce3
SHA256 b76e279fd34dadca8fe5f8dbb516efb1fd56e00d6e5a5c059dd238ffd5420043
SHA512 2882a74a6c1aa5f264e8351073e108dab2e547ef51e82a3cb02c8c28d9db43df30f1c2e703efa824c798bd316dad04a48fb09584de8cf10fd6aa8f06a0f9226d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

MD5 2729ee9de498bb7fa65a77a06dd79395
SHA1 0bb316d9dde4dadee01abb0137e940c3ed990ce3
SHA256 b76e279fd34dadca8fe5f8dbb516efb1fd56e00d6e5a5c059dd238ffd5420043
SHA512 2882a74a6c1aa5f264e8351073e108dab2e547ef51e82a3cb02c8c28d9db43df30f1c2e703efa824c798bd316dad04a48fb09584de8cf10fd6aa8f06a0f9226d

C:\Users\Admin\AppData\Local\Temp\F7AB.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

C:\Users\Admin\AppData\Local\Temp\F7AB.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

MD5 2729ee9de498bb7fa65a77a06dd79395
SHA1 0bb316d9dde4dadee01abb0137e940c3ed990ce3
SHA256 b76e279fd34dadca8fe5f8dbb516efb1fd56e00d6e5a5c059dd238ffd5420043
SHA512 2882a74a6c1aa5f264e8351073e108dab2e547ef51e82a3cb02c8c28d9db43df30f1c2e703efa824c798bd316dad04a48fb09584de8cf10fd6aa8f06a0f9226d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

MD5 1902adb7a069147b706a6511b6090e1e
SHA1 1fac7defb485bc8aa493f6e9d3148f86e48a276c
SHA256 a30b11c09970997caccbc62c5c26ba91c92aef2f7c694f41c2fd3eaaded3d767
SHA512 6b711d8991d5e10ee189849668e5cce962bcbcac0e088ee027aa8571681afffeeed036b365a0e622fb939837c5e29779cb2a4ade03e0495387033db6a4167b05

\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

MD5 1902adb7a069147b706a6511b6090e1e
SHA1 1fac7defb485bc8aa493f6e9d3148f86e48a276c
SHA256 a30b11c09970997caccbc62c5c26ba91c92aef2f7c694f41c2fd3eaaded3d767
SHA512 6b711d8991d5e10ee189849668e5cce962bcbcac0e088ee027aa8571681afffeeed036b365a0e622fb939837c5e29779cb2a4ade03e0495387033db6a4167b05

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

MD5 1902adb7a069147b706a6511b6090e1e
SHA1 1fac7defb485bc8aa493f6e9d3148f86e48a276c
SHA256 a30b11c09970997caccbc62c5c26ba91c92aef2f7c694f41c2fd3eaaded3d767
SHA512 6b711d8991d5e10ee189849668e5cce962bcbcac0e088ee027aa8571681afffeeed036b365a0e622fb939837c5e29779cb2a4ade03e0495387033db6a4167b05

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

MD5 1902adb7a069147b706a6511b6090e1e
SHA1 1fac7defb485bc8aa493f6e9d3148f86e48a276c
SHA256 a30b11c09970997caccbc62c5c26ba91c92aef2f7c694f41c2fd3eaaded3d767
SHA512 6b711d8991d5e10ee189849668e5cce962bcbcac0e088ee027aa8571681afffeeed036b365a0e622fb939837c5e29779cb2a4ade03e0495387033db6a4167b05

\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

MD5 15306f703f46d7c4e2d4372127168be9
SHA1 ac7a19226ac7da9a9cf3bc56aca395f008a09055
SHA256 16b21cad8817355f46233f6b221f8b5f7b6feb529f813e53bcd3ac3742c6eb66
SHA512 103b2e175a6d55c69a15eeab1140e8931848db7e33389b791aa563d1b4650febdc4c315cab8a8e4a87be70d761111d00065996f989e1e1193579562966d80e94

\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

MD5 15306f703f46d7c4e2d4372127168be9
SHA1 ac7a19226ac7da9a9cf3bc56aca395f008a09055
SHA256 16b21cad8817355f46233f6b221f8b5f7b6feb529f813e53bcd3ac3742c6eb66
SHA512 103b2e175a6d55c69a15eeab1140e8931848db7e33389b791aa563d1b4650febdc4c315cab8a8e4a87be70d761111d00065996f989e1e1193579562966d80e94

C:\Users\Admin\AppData\Local\Temp\4F4.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

MD5 15306f703f46d7c4e2d4372127168be9
SHA1 ac7a19226ac7da9a9cf3bc56aca395f008a09055
SHA256 16b21cad8817355f46233f6b221f8b5f7b6feb529f813e53bcd3ac3742c6eb66
SHA512 103b2e175a6d55c69a15eeab1140e8931848db7e33389b791aa563d1b4650febdc4c315cab8a8e4a87be70d761111d00065996f989e1e1193579562966d80e94

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

MD5 15306f703f46d7c4e2d4372127168be9
SHA1 ac7a19226ac7da9a9cf3bc56aca395f008a09055
SHA256 16b21cad8817355f46233f6b221f8b5f7b6feb529f813e53bcd3ac3742c6eb66
SHA512 103b2e175a6d55c69a15eeab1140e8931848db7e33389b791aa563d1b4650febdc4c315cab8a8e4a87be70d761111d00065996f989e1e1193579562966d80e94

\Users\Admin\AppData\Local\Temp\F43F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

C:\Users\Admin\AppData\Local\Temp\4F4.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\F43F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

\Users\Admin\AppData\Local\Temp\F43F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

MD5 09b7c39a7b91b989f9c775789f7fad5c
SHA1 dc96862468157e0509789f5bb56ddfbb87d6aca3
SHA256 75839f0bd255370a7ac4e5978fbef05ca6252bfcb84288b08af06c198b1a13b5
SHA512 d7e84198abc0e75cc19eb67aa62cc400bed58335380ad92a8a4ba40b27c8545c37979ce1d99c6f140b9c65afbcc23e46c64daed84dd003578e788d139f835234

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

MD5 09b7c39a7b91b989f9c775789f7fad5c
SHA1 dc96862468157e0509789f5bb56ddfbb87d6aca3
SHA256 75839f0bd255370a7ac4e5978fbef05ca6252bfcb84288b08af06c198b1a13b5
SHA512 d7e84198abc0e75cc19eb67aa62cc400bed58335380ad92a8a4ba40b27c8545c37979ce1d99c6f140b9c65afbcc23e46c64daed84dd003578e788d139f835234

\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

MD5 09b7c39a7b91b989f9c775789f7fad5c
SHA1 dc96862468157e0509789f5bb56ddfbb87d6aca3
SHA256 75839f0bd255370a7ac4e5978fbef05ca6252bfcb84288b08af06c198b1a13b5
SHA512 d7e84198abc0e75cc19eb67aa62cc400bed58335380ad92a8a4ba40b27c8545c37979ce1d99c6f140b9c65afbcc23e46c64daed84dd003578e788d139f835234

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

MD5 09b7c39a7b91b989f9c775789f7fad5c
SHA1 dc96862468157e0509789f5bb56ddfbb87d6aca3
SHA256 75839f0bd255370a7ac4e5978fbef05ca6252bfcb84288b08af06c198b1a13b5
SHA512 d7e84198abc0e75cc19eb67aa62cc400bed58335380ad92a8a4ba40b27c8545c37979ce1d99c6f140b9c65afbcc23e46c64daed84dd003578e788d139f835234

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\F43F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E87.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E87.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\F7AB.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

\Users\Admin\AppData\Local\Temp\F7AB.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

\Users\Admin\AppData\Local\Temp\F7AB.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

\Users\Admin\AppData\Local\Temp\F7AB.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\1AB8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

memory/1644-146-0x0000000000D60000-0x0000000000D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B81.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\3B81.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/560-155-0x00000000002F0000-0x000000000034A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\1AB8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\3B81.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/1612-168-0x0000000001090000-0x00000000010AE000-memory.dmp

memory/1644-169-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1AB8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\6CB1.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/1132-174-0x00000000004A0000-0x00000000004A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\CabAB01.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\TarC364.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2888-218-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2888-219-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ddc2b22c0df95960ef99017e326de99
SHA1 9eed5aa03f350c3bb9967d29854082e669bec25f
SHA256 78764e905b01cd8931432577fce1374bbe6fc886653a1b79f2dd2910c4c8e76a
SHA512 1551bf200193dffbc68cc6c57716cfe8a180cf8250a08d1baaf3ff0be3a2cbeed834fed09c5d7e4debd998a24549cd0d9554674c3f41277974729456ca53dbfe

memory/2888-238-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7D5.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2888-267-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2888-272-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7D5.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2576-264-0x0000000000BE0000-0x0000000000D38000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fc04a48ee06dffa9c6272ec382b202b
SHA1 e10cb45ec15cc3bac1107718cf2fcbda7888791e
SHA256 9e016f0406e884771b4952f4d3d9b44e9ef1818837e39a70d4a7f2b97777e93f
SHA512 ada5e373c54e4ad843f007f9ed2d35bd4cd48a6a2b2023b42fdf658536d6c5740077fce05a03443e22b72ef417b40134599e97f6792fe9502dc8e59ab4b3d8ce

memory/1484-289-0x0000000000470000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7D5.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\E155.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\E155.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2544-301-0x0000000000C70000-0x0000000000CCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED77.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

\Users\Admin\AppData\Local\Temp\ED77.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/1612-318-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/560-319-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2888-320-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/1484-321-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1484-322-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2888-324-0x0000000007490000-0x00000000074D0000-memory.dmp

memory/1484-323-0x0000000006FA0000-0x0000000006FE0000-memory.dmp

memory/2544-329-0x0000000002310000-0x0000000002350000-memory.dmp

memory/2544-328-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/560-331-0x0000000002070000-0x00000000020B0000-memory.dmp

memory/560-330-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PL78BP4I\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/1644-511-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp182A.tmp

MD5 f53b7e590a4c6068513b2b42ceaf6292
SHA1 7d48901a22cd17519884cef703088b16eb8ab04f
SHA256 1ba7ecb5cecec10e4cc16b2e5668ba5ea4f52307f5543aba78e83de61e9fb3bf
SHA512 db510c474e4736ae8d23ee020bc029966f8ff2a9146dfc6a79604b05c4d95a4ce7a3d91a26c7d056e925012d62f459744db1d6df91e65c3da77ef6a1ab0ee231

C:\Users\Admin\AppData\Local\Temp\tmp1815.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/1484-582-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2772-592-0x000000013F690000-0x000000013F98F000-memory.dmp

memory/1612-593-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/1724-594-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/1724-596-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/1724-597-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-600-0x000000013F690000-0x000000013F98F000-memory.dmp

memory/1724-599-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/560-602-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2888-603-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2888-604-0x0000000007490000-0x00000000074D0000-memory.dmp

memory/1724-601-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/2544-605-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2544-606-0x0000000002310000-0x0000000002350000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18da3ac8a06daae7893c24f6c097dcd0
SHA1 79c3f04e0b1242b8f17425803d44106b55d1b15d
SHA256 33e37089c551e767796b7af782952197e7d1053c2dbdc590090699456c48a3f3
SHA512 9e7fe47e57549b329e261ab19053240c39faa720646ed795dd4e77065dc8b680a42306cd572719922ad39f956c1af84c1a8fb3d1f63467fa01fb3dc8397f0ebd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c5428859082d117d1ddcc1f78613e79
SHA1 955d1c146b8f93d6753e7c238df1b0723fef434d
SHA256 3d49ae205a4ef6e89098e7fc408fcfb530bfb3b71f04366188944d46d863aa58
SHA512 6f1ea152eda8d3164c113112b94855572b2728e2ac064c8d07eed72280aee04cce4909ada456c9fe01e83dba8c61865965aedae96ccfe0ae87301c11a372f64d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11ef6560c33021d16a6f22a9a4a86ab3
SHA1 a63868ea2fda68f08c3a461eecb1eeb6eb99f58a
SHA256 d06a4a92678c7ad4f410fefc2ec793f752bc64e7c8c9d74e00e5c1d82b7aee9e
SHA512 1732f7f8170136d49a357fd5c5c9a971c10f4c6aa0fdb80ce2bf45c6721f15184ce3e29c7b10171ca57744825c08551e087b0f66c4023997261232ab61008976

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ee317fec85f88917bbf73b246bfc06c
SHA1 7be6b6d8db1b34c11d554b62cc1fdec2c99a0f44
SHA256 5fafbfcf19f361be6ba6d1d1dc7d737c94f18ab275c24adf00f03d13f881d841
SHA512 2b1f42fb31403e21998343fdf6d5b85878d33b4d36250b52c7db9cb88056a84abda2810099424bdfa6e7953ad74af2332b9425fff058b7a2c6792ef10b45ff57

memory/2544-756-0x0000000070870000-0x0000000070F5E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc7aac25dbb78858ba21f8c169c150e0
SHA1 c9201353db6a847afe56db7dec99ab5c48d333b9
SHA256 5e343d196c20607716f6862855013644d1fe48c42f8b846a09117170fb4c265d
SHA512 02133fb6e69760c933ff722bdff24cfd4e1e62e78937dca34a2b6b069c2657d6cffc2e49a5105347ef941169d5a764958ba8afe9de2423d34bd4ae696b3a31a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c72f4881edf6cfa2c143143b1ccd056c
SHA1 6eaa087d2571afc5e009fcd13a155fd3f80fe122
SHA256 4538427da9d90ddb387c1a2db3b86abfea6bda12dd033a7a48363dd6a32063aa
SHA512 cd9538a2e0301b9867a016f414047b4e67564727770ce4fd34cc83b466ebbfd0195c9f8f3bafd88f8d571e7c388eac48bb6d87e477d08823ebe8573cdb8a3f4d

memory/560-821-0x0000000070870000-0x0000000070F5E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6180bc804a99d5109d4734f904b4afd
SHA1 8aa7872b76a78d8cd3e8df93f7215074b3d52251
SHA256 c190e422134afb9205afd44301d667f7f83c60ac9e08830679fad4aa7be7a9c1
SHA512 e4b81d02cfb1fd7b0f3aa2d17c90b9ae7f58f8afda9f64a8bdb6eadee6becbb816f68dc36843389de7100b18107be48e6091f2018e743e2bb2d60b56e17ac1bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e64c2bf973ce4a3f41792bbf611057c8
SHA1 5da4d4dc9be1e9874919a2c1fc7e28eb26a7cc55
SHA256 529f13f34e2447391667e5c2c20d6eaca03b3aa03627a938dc8c06819ddc224c
SHA512 7c6522926fec3197ca7ad2072a2fa3e79676657652be9cd66561579ad3bb802b2c50d991abbcc192e6116055c27e3d4122ddd83cfd5abae40bef08e2d058f88b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ecdabdac989dfdd59965452fca75109
SHA1 df84d274cae91134f5f03d0a38ffb464d6d2b3e2
SHA256 6328936d648916a34bd149a777ff0a9470b4c771f370aaefd4acaced821a1c8e
SHA512 0e15358d9e01c31402d34edf50a7fde7ea088e4085872b530bcca3acc1b9f4f0d2410e9a2e38457d4b53896b77ad700e6ff0730de2a36abc260868ad9f807c04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01df476ce9570562eef5d63847b08220
SHA1 7e2e5ae17e4f36a76ba9caa12b576338c9a34af4
SHA256 91640e73cf7a7550960101af7bb90a946b34c91209b79ba168d5c1f3544d0130
SHA512 b3cce6ff3d24fd563fa66e20062895734cfc04f718aa830d8b02e30e8272e2ada5e80bfc76d4ced7e63cfa57a3ee2fb85fdc9623904a998644d108d1c94b61f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c410a3cf6f165880ce162d7210d270cf
SHA1 921d21e775bed170a12af3c95388f6251ed06288
SHA256 22d0fe140d770b9df42652bec80f5f1bcfc4f2fc743d7358a289a7a6220c9d5d
SHA512 7f8b7526f9e26b0bad1a7bb97c25609f63ec32ce44848ba32af400b040629ffe3eee8176b51fdaa1ad33280f917609d78ebfa4abb86f2bd96ee0b8983b478149

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70d1ee4136dee88bebb696cb60b181f9
SHA1 cf2370a55626846fafadeb9679af2420ddfb1d6a
SHA256 2dd3d3863426a7917c9ea0c616221838a4f1cde1d8cfc6031dad67a56f4aa198
SHA512 8e137c1f8352da850f9a8ba3b9a89a4fdf06295af72e211a915dd8ed1fba12c24e3140343a75fb2f33df78f758e87fea50e0467a4c671918f468d0f45c62f3c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbb9af7cfe552568c4eca8e8cace1c9e
SHA1 7ee1cbacbab4b3d9cc2acb9acec3b20b7bb9b338
SHA256 d1d5caba9e119c159d66894ed210dd1e1678162a34346404c9c97da2dcb08015
SHA512 63bd7b8f2509041d78585bf473e602375443e66eb4bbd1e99bfb5f236cb4252fcbc0b6b47c8b76b65b0b7478c79fbf8d1ac349ba26dfde59efe24c7f5a7f9571

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bec15083add15215e5d927350f5af06
SHA1 f418376feda53459fd1db8ef1b35e6d87c4ff8c5
SHA256 82ab5a740fe8dbdc26a4f1f02c4e2f7d95328436f991159cbeae38d642434135
SHA512 56c6fa613fddb65b01bf84cac58b233a998ec2c8c5eac6bf13690e6d7adf8ffee6676472f975797ec35b0f9ded5c682a186a570c99f3e7bbc953346dd09137f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8ff8ba7fc9ea6322901f9edc468a500
SHA1 b72132fd9fb1dd3927f8cbad905143b11c9cbf26
SHA256 fb84b2c31ad7db080441e8bb65326fe8ccbb7317a6ecf07a74dd8e95855fa366
SHA512 866c8f0a2824cb8590462cf80e63af098ae6cbc86bc9efc6c9d3caaf4d0995e5e6b5650e3e8bc362f133f3bad35164c0abb5bbb7dd740899e93a5ba03ff65c8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f37ccb5727a7022ee6b41d149366146
SHA1 23e42d8696c0015336a782eee0da3aed7abdb236
SHA256 1eef23e59997fa065149641824c83ece859dd4142b19738141984aa3653c9a13
SHA512 a7f40d1149e99b4e2dc05bf35d1ec126b3afcd7b76f2ae801ef8f170de07913aef60e9f01ec259075b8ba7df442d565001eaaa5a58c644d15c50a2fc5c37ad2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2929bcfac1433a2c3685f0efc9bd9ee
SHA1 14ccf41cc33597856d74b89dd89ea82edf448e2b
SHA256 e7fd6602cdc78135143b697b44dfb7b6ff0c20be250df481194586ea4dce2600
SHA512 a165f563224a8e97f93622e33bdce1f8b08b7cf2e2395cb66ec76adccc8649f576a2ab78fa889b371fa457e9946b37b7fa049c8b4e263a1a53e63250af1dc69a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c49cf019d09c3ad28a934ea01d03ea16
SHA1 7a183fea7a44d91d33edd77de1f184f8021a3c8a
SHA256 f2fa5c04422ee8d2ffc7304cdb59b727c25c11c78876356df5a8670aef4a064c
SHA512 c4d13d867cc7cbf543f492502ca5a9fca6d98646aae87bc01edb1b3f4c6be011704bde3e89247c37d6bafe6770a84d4bf4e70b6235a6179e451557bc79206f44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b777a5f9dc81093415366e4d0a70e8e4
SHA1 d2bd347dbdaa83d243b2549bf7d441477535b8bc
SHA256 265a32e4eee52997d42fcaee97e262547273713473de8e296f12af50ea80b41e
SHA512 403e1ef9d8d6ec31784d4e5002fc99e320dae9f0ec6517775f1f14eeae3c147efc7c8cb250a65d594926de77d0acd5045e8fcfb168f51b6b9b20367c80bb2c0b

memory/1612-1470-0x0000000070870000-0x0000000070F5E000-memory.dmp

memory/2888-1471-0x0000000070870000-0x0000000070F5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:24

Reported

2023-10-12 15:07

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\225C.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C1F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2028.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2A9C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2E95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3656.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3C24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3E38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eu031rI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2A9C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2A9C.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\225C.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1A88.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\225C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4492 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4492 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4492 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4492 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4492 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3204 wrote to memory of 3376 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe
PID 3204 wrote to memory of 3376 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe
PID 3204 wrote to memory of 3376 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe
PID 3204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C1F.exe
PID 3204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C1F.exe
PID 3204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C1F.exe
PID 3376 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 3376 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 3376 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1A88.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe
PID 4236 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 4236 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 4236 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe
PID 3204 wrote to memory of 1572 N/A N/A C:\Windows\system32\cmd.exe
PID 3204 wrote to memory of 1572 N/A N/A C:\Windows\system32\cmd.exe
PID 4140 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 4140 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 4140 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe
PID 1348 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe
PID 1348 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe
PID 1348 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe
PID 3204 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\2028.exe
PID 3204 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\2028.exe
PID 3204 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\2028.exe
PID 3144 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe
PID 3144 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe
PID 3144 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe
PID 3204 wrote to memory of 4144 N/A N/A C:\Users\Admin\AppData\Local\Temp\225C.exe
PID 3204 wrote to memory of 4144 N/A N/A C:\Users\Admin\AppData\Local\Temp\225C.exe
PID 3204 wrote to memory of 2140 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 2140 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 2140 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 2012 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 2012 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 2012 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2140 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2140 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3204 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A9C.exe
PID 3204 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A9C.exe
PID 3204 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A9C.exe
PID 2012 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2012 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2012 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2172 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3204 wrote to memory of 3724 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E95.exe
PID 3204 wrote to memory of 3724 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E95.exe
PID 3204 wrote to memory of 3724 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E95.exe
PID 2172 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\Temp\3656.exe
PID 3204 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\Temp\3656.exe
PID 3204 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\Temp\3656.exe
PID 4492 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe

"C:\Users\Admin\AppData\Local\Temp\8018d788ddb64cc177191b0b030ad148f46fb718c77a22a197f250d2afad15dc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 260

C:\Users\Admin\AppData\Local\Temp\1A88.exe

C:\Users\Admin\AppData\Local\Temp\1A88.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D59.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

C:\Users\Admin\AppData\Local\Temp\2028.exe

C:\Users\Admin\AppData\Local\Temp\2028.exe

C:\Users\Admin\AppData\Local\Temp\225C.exe

C:\Users\Admin\AppData\Local\Temp\225C.exe

C:\Users\Admin\AppData\Local\Temp\253B.exe

C:\Users\Admin\AppData\Local\Temp\253B.exe

C:\Users\Admin\AppData\Local\Temp\278E.exe

C:\Users\Admin\AppData\Local\Temp\278E.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\2A9C.exe

C:\Users\Admin\AppData\Local\Temp\2A9C.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\2E95.exe

C:\Users\Admin\AppData\Local\Temp\2E95.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\3656.exe

C:\Users\Admin\AppData\Local\Temp\3656.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4616 -ip 4616

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\3C24.exe

C:\Users\Admin\AppData\Local\Temp\3C24.exe

C:\Users\Admin\AppData\Local\Temp\3E38.exe

C:\Users\Admin\AppData\Local\Temp\3E38.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\4F02.exe

C:\Users\Admin\AppData\Local\Temp\4F02.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffa776046f8,0x7ffa77604708,0x7ffa77604718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa776046f8,0x7ffa77604708,0x7ffa77604718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2304 -ip 2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3C24.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4344 -ip 4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa776046f8,0x7ffa77604708,0x7ffa77604718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 140

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,15676376738761957944,11803928926052470430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 3192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eu031rI.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eu031rI.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 212

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3C24.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa776046f8,0x7ffa77604708,0x7ffa77604718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5096103843645308044,2329153785686088749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 84.53.175.81:443 mdec.nelreports.net tcp
NL 84.53.175.81:443 mdec.nelreports.net tcp
US 8.8.8.8:53 81.175.53.84.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 34.252.33.233:443 mscom.demdex.net tcp
US 8.8.8.8:53 233.33.252.34.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.16:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 20.189.173.16:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

memory/3032-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3032-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3204-2-0x0000000001110000-0x0000000001126000-memory.dmp

memory/3032-5-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A88.exe

MD5 3811199cb90b54367f4fd272596a164f
SHA1 dab90355c745ecd3ce5cff579cdbaf3edbfc8cc1
SHA256 0283be1608e0eabb70b9f2fe4484c404d601f942ab7916a944b0e6e79f2fd779
SHA512 9aefc503e0629c019cad1bc336dcdc6768d950a045aa3b3fe5e2acc114b50539468a29f31d96f65300b68cc7f931f9b84ed8a8ad6677f7abdf52d1bd165e85e6

C:\Users\Admin\AppData\Local\Temp\1A88.exe

MD5 3811199cb90b54367f4fd272596a164f
SHA1 dab90355c745ecd3ce5cff579cdbaf3edbfc8cc1
SHA256 0283be1608e0eabb70b9f2fe4484c404d601f942ab7916a944b0e6e79f2fd779
SHA512 9aefc503e0629c019cad1bc336dcdc6768d950a045aa3b3fe5e2acc114b50539468a29f31d96f65300b68cc7f931f9b84ed8a8ad6677f7abdf52d1bd165e85e6

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

MD5 2729ee9de498bb7fa65a77a06dd79395
SHA1 0bb316d9dde4dadee01abb0137e940c3ed990ce3
SHA256 b76e279fd34dadca8fe5f8dbb516efb1fd56e00d6e5a5c059dd238ffd5420043
SHA512 2882a74a6c1aa5f264e8351073e108dab2e547ef51e82a3cb02c8c28d9db43df30f1c2e703efa824c798bd316dad04a48fb09584de8cf10fd6aa8f06a0f9226d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk9aS9qE.exe

MD5 2729ee9de498bb7fa65a77a06dd79395
SHA1 0bb316d9dde4dadee01abb0137e940c3ed990ce3
SHA256 b76e279fd34dadca8fe5f8dbb516efb1fd56e00d6e5a5c059dd238ffd5420043
SHA512 2882a74a6c1aa5f264e8351073e108dab2e547ef51e82a3cb02c8c28d9db43df30f1c2e703efa824c798bd316dad04a48fb09584de8cf10fd6aa8f06a0f9226d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

MD5 1902adb7a069147b706a6511b6090e1e
SHA1 1fac7defb485bc8aa493f6e9d3148f86e48a276c
SHA256 a30b11c09970997caccbc62c5c26ba91c92aef2f7c694f41c2fd3eaaded3d767
SHA512 6b711d8991d5e10ee189849668e5cce962bcbcac0e088ee027aa8571681afffeeed036b365a0e622fb939837c5e29779cb2a4ade03e0495387033db6a4167b05

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

MD5 416cf064a9e57b882e20730078dabd4e
SHA1 723437acfb805fd0e7b962314af1faf156c71d66
SHA256 88e1e1797d1856004d423897eef01d5fb5c7496a4a4ed04126b4cd3ca5ac79cf
SHA512 27534431558e75de4b7c3b9405a18c2191b58be634b04a270dced0f6070d07d9c77fed7e20a87c4adeed2562b7d43365e953c90a8206604de53e928a7a2432b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FP8TZ0SH.exe

MD5 1902adb7a069147b706a6511b6090e1e
SHA1 1fac7defb485bc8aa493f6e9d3148f86e48a276c
SHA256 a30b11c09970997caccbc62c5c26ba91c92aef2f7c694f41c2fd3eaaded3d767
SHA512 6b711d8991d5e10ee189849668e5cce962bcbcac0e088ee027aa8571681afffeeed036b365a0e622fb939837c5e29779cb2a4ade03e0495387033db6a4167b05

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

MD5 15306f703f46d7c4e2d4372127168be9
SHA1 ac7a19226ac7da9a9cf3bc56aca395f008a09055
SHA256 16b21cad8817355f46233f6b221f8b5f7b6feb529f813e53bcd3ac3742c6eb66
SHA512 103b2e175a6d55c69a15eeab1140e8931848db7e33389b791aa563d1b4650febdc4c315cab8a8e4a87be70d761111d00065996f989e1e1193579562966d80e94

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

MD5 09b7c39a7b91b989f9c775789f7fad5c
SHA1 dc96862468157e0509789f5bb56ddfbb87d6aca3
SHA256 75839f0bd255370a7ac4e5978fbef05ca6252bfcb84288b08af06c198b1a13b5
SHA512 d7e84198abc0e75cc19eb67aa62cc400bed58335380ad92a8a4ba40b27c8545c37979ce1d99c6f140b9c65afbcc23e46c64daed84dd003578e788d139f835234

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VD5hS1LT.exe

MD5 09b7c39a7b91b989f9c775789f7fad5c
SHA1 dc96862468157e0509789f5bb56ddfbb87d6aca3
SHA256 75839f0bd255370a7ac4e5978fbef05ca6252bfcb84288b08af06c198b1a13b5
SHA512 d7e84198abc0e75cc19eb67aa62cc400bed58335380ad92a8a4ba40b27c8545c37979ce1d99c6f140b9c65afbcc23e46c64daed84dd003578e788d139f835234

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dF6hI7aZ.exe

MD5 15306f703f46d7c4e2d4372127168be9
SHA1 ac7a19226ac7da9a9cf3bc56aca395f008a09055
SHA256 16b21cad8817355f46233f6b221f8b5f7b6feb529f813e53bcd3ac3742c6eb66
SHA512 103b2e175a6d55c69a15eeab1140e8931848db7e33389b791aa563d1b4650febdc4c315cab8a8e4a87be70d761111d00065996f989e1e1193579562966d80e94

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

C:\Users\Admin\AppData\Local\Temp\2028.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

C:\Users\Admin\AppData\Local\Temp\1D59.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\2028.exe

MD5 4469ecfd358d98a13e11c5b04483290f
SHA1 01c2cbbefda53f32107635778fa9e0f721633884
SHA256 d83191b5b2bd4024ab4d56c107d47b2ff7d4ba2dfd9245da6c811006226e2c76
SHA512 2a6f2140ea9b3ae328b2d41535857399d41e234ec8811e26c98de4a90524ff03bda9fb3f6b2403abb45b079b7cc982fdf92ad243780ba7a6072bbdb6146ea65d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jE17CY7.exe

MD5 f2f89e817d77598fd374ee4bc98f9fc6
SHA1 0fa397ee8919a2fae8776d1888505cc573a2c062
SHA256 6be6794a1959a15849dbca0d9cd224d10bbec95c00a41dfb34b24bb3065ed23c
SHA512 42e288a8a088ac80f605315fd876976b635dd02480bd2d054b692daee17464a87f243fb6e21e481dc10ee24bef6e58db61d4dd76d4bb0830c707d56b80d6fb32

C:\Users\Admin\AppData\Local\Temp\225C.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4144-65-0x0000000000010000-0x000000000001A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\225C.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\253B.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4144-72-0x00007FFA74B80000-0x00007FFA75641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\253B.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\278E.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\278E.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\2A9C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\2E95.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\2A9C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\2E95.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/3724-102-0x0000000000510000-0x000000000052E000-memory.dmp

memory/4616-103-0x00000000020C0000-0x000000000211A000-memory.dmp

memory/3724-106-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/3724-111-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3724-107-0x0000000005380000-0x0000000005998000-memory.dmp

memory/4616-112-0x0000000000400000-0x000000000046F000-memory.dmp

memory/216-114-0x0000000000730000-0x0000000000888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A9C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\2A9C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\3656.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/3724-117-0x0000000004E00000-0x0000000004E3C000-memory.dmp

memory/4616-118-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/3724-121-0x0000000004D50000-0x0000000004D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C24.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/3724-123-0x0000000004E40000-0x0000000004E8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3656.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\3E38.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\3C24.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2416-129-0x0000000000870000-0x00000000008CA000-memory.dmp

memory/2416-131-0x00000000736C0000-0x0000000073E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E38.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3724-132-0x00000000050A0000-0x00000000051AA000-memory.dmp

memory/2416-133-0x0000000007B30000-0x00000000080D4000-memory.dmp

memory/2416-134-0x0000000007660000-0x00000000076F2000-memory.dmp

memory/4144-135-0x00007FFA74B80000-0x00007FFA75641000-memory.dmp

memory/2416-136-0x0000000007800000-0x0000000007810000-memory.dmp

memory/2416-137-0x0000000007810000-0x000000000781A000-memory.dmp

memory/2872-139-0x0000000001F70000-0x0000000001FCA000-memory.dmp

memory/2872-138-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F02.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/3724-147-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/4144-149-0x00007FFA74B80000-0x00007FFA75641000-memory.dmp

memory/216-151-0x0000000000730000-0x0000000000888000-memory.dmp

memory/4092-152-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2416-158-0x0000000008200000-0x0000000008266000-memory.dmp

memory/4092-164-0x00000000736C0000-0x0000000073E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/216-165-0x0000000000730000-0x0000000000888000-memory.dmp

memory/4616-166-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/4092-169-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

memory/3724-171-0x0000000004D50000-0x0000000004D60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/1972-186-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-185-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2416-184-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/3724-187-0x0000000006380000-0x0000000006542000-memory.dmp

memory/1972-188-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-196-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3724-195-0x0000000006A80000-0x0000000006FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

\??\pipe\LOCAL\crashpad_2136_CLIXPJVNTRJNORNX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4864-214-0x00007FF70FE40000-0x00007FF71013F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2416-216-0x0000000007800000-0x0000000007810000-memory.dmp

memory/3660-221-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3660-215-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3660-213-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0a2601c6e48a95e65d38ab6eefccd696
SHA1 965898b6b3e2fe2d37cb9fe10f948952f1078f42
SHA256 b9e9b1e21f9adc5b8c975b967fb0580d75f6fbf9948b576ce89055d8c8a7c69c
SHA512 3e712bc76917cf5df02e70f0c78683e48bcf703d9f4f69db429e90af3195e568c5b4f0ae3357c543aaa656a4d7ee8f82b7736c27ec6758932180a7046a3f1952

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4aaaaeda2349493fd130a2be284c1b88
SHA1 5700fc439bef2b3a53af9a3116984e81515f0a17
SHA256 7adc4e6a7128e0be9fa66d0de19f8962800b5c2511e47786f8042e3594475022
SHA512 1c3057557c70b654096b78bbbf5de1a5b20e5fdf0b2863c1f965f6b13c581839a2525ca5481f1e0e4ca7e3291bf955822326076e8b8ff077f6db2a465710ab9c

memory/4616-249-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/2416-250-0x00000000098B0000-0x0000000009900000-memory.dmp

memory/2416-253-0x0000000009980000-0x00000000099F6000-memory.dmp

memory/1972-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5992-274-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4092-287-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/5992-288-0x00000000736C0000-0x0000000073E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eu031rI.exe

MD5 b244cfa67cf8a7105715cf8728d29300
SHA1 0cdc6d767c045add776f37f9142577e3cb8bf871
SHA256 f0cb52a8e547eec4227c6325ec798a1b7b997e11785ec9b55d9d4fa789901916
SHA512 bb1a4a58841a1960c2796a771ab84408b6f7b5d17b87e3b7f892163dbd521823fdd6b9580c5c8bc17cfa633bee0f4bd6ddf9c0f3a874ca66d9731c4043283e1d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eu031rI.exe

MD5 b244cfa67cf8a7105715cf8728d29300
SHA1 0cdc6d767c045add776f37f9142577e3cb8bf871
SHA256 f0cb52a8e547eec4227c6325ec798a1b7b997e11785ec9b55d9d4fa789901916
SHA512 bb1a4a58841a1960c2796a771ab84408b6f7b5d17b87e3b7f892163dbd521823fdd6b9580c5c8bc17cfa633bee0f4bd6ddf9c0f3a874ca66d9731c4043283e1d

memory/6120-295-0x0000000000A60000-0x0000000000A93000-memory.dmp

memory/4092-294-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

memory/4884-297-0x00000000007D0000-0x000000000080E000-memory.dmp

memory/6120-298-0x0000000000A60000-0x0000000000A93000-memory.dmp

memory/4864-306-0x00007FF70FE40000-0x00007FF71013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9544.tmp

MD5 8395952fd7f884ddb74e81045da7a35e
SHA1 f0f7f233824600f49147252374bc4cdfab3594b9
SHA256 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58
SHA512 ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 643069d7a98570d1c7bcefeb06e2c319
SHA1 514c53d69158aae7edaa0ae1a6be59822be263b8
SHA256 8f262ffe690cab899850b908776705d91719468d5613951077b3e7e88a4bfb74
SHA512 bf92e0b80007a30969a82ff17a034c9e9299be688f50c7efbb89a85056c56a03b20842aa1489e7828087e3db5e8ba4ef6a44a5c0768f7462fdf9bfc48782a4ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4aaaaeda2349493fd130a2be284c1b88
SHA1 5700fc439bef2b3a53af9a3116984e81515f0a17
SHA256 7adc4e6a7128e0be9fa66d0de19f8962800b5c2511e47786f8042e3594475022
SHA512 1c3057557c70b654096b78bbbf5de1a5b20e5fdf0b2863c1f965f6b13c581839a2525ca5481f1e0e4ca7e3291bf955822326076e8b8ff077f6db2a465710ab9c

C:\Users\Admin\AppData\Local\Temp\tmp9463.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/6120-307-0x0000000000A60000-0x0000000000A93000-memory.dmp

memory/4884-338-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/6120-340-0x0000000000A60000-0x0000000000A93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9792.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp97A8.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp9879.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/4884-469-0x0000000007760000-0x0000000007770000-memory.dmp

memory/6120-470-0x0000000000A60000-0x0000000000A93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9931.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 643069d7a98570d1c7bcefeb06e2c319
SHA1 514c53d69158aae7edaa0ae1a6be59822be263b8
SHA256 8f262ffe690cab899850b908776705d91719468d5613951077b3e7e88a4bfb74
SHA512 bf92e0b80007a30969a82ff17a034c9e9299be688f50c7efbb89a85056c56a03b20842aa1489e7828087e3db5e8ba4ef6a44a5c0768f7462fdf9bfc48782a4ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3f0ac4833102e619ffbda5eb1a193164
SHA1 2bc70f891a064d03851a02f05d75d7b51753b439
SHA256 e40db3c627bc83060b844b3ba2e2a0f54b7acbecb830d7137c1420a766eb683a
SHA512 0da7bf0c97d55029e007b5589f86d042c9395625510ac2db4c5d6fa16bd56bbfb41bc6cb631a41364816a563188075a6ed1a87b1740443deb856a6a250c89a92

memory/3724-481-0x0000000006A60000-0x0000000006A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

\??\pipe\LOCAL\crashpad_3820_PTUCXZERXCHXBYYR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3724-515-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/5992-526-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/4884-531-0x00000000736C0000-0x0000000073E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5992-543-0x0000000007C90000-0x0000000007CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e6e60f3d1993a396506d394c2542a6b4
SHA1 3beb8c9b97ffab2f7b2c7390952bacd1d0249ba6
SHA256 a56317264ff56ae214a9bb4dfb9d5cdaf19fd49623524df9a330bd388056d6de
SHA512 1e3ef905b65455b0b39af81f1c4022a1123fdcf10550561c409af909902b9f92954dd6be59e6cd2b88705b04d30ad9d22ac80575855309a453980785da23d927

memory/2416-550-0x00000000736C0000-0x0000000073E70000-memory.dmp

memory/4092-559-0x00000000736C0000-0x0000000073E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/4884-576-0x0000000007760000-0x0000000007770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9a24180011eb237b946dff294bca4b3e
SHA1 43a0fa7312906c6d1d2a65993412670f8acc38e1
SHA256 cca4d83b96072836d99af134445c4ec2511cdc77c43154126cd392d43f3df8c4
SHA512 533b49ecc4daca781b365db663c7ebf6b4dd47984d1372bc2bc49b7682114f2c770fe9532670a8579a8ee0fa7ae28a9bdc2371f69e9194f07c2c109316f196de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8a8dfd4147e20477583393fca59f14cb
SHA1 12d6e6ef8e8b871d9ca46b898461446378928933
SHA256 d422e330eead82ffc1e7554cdf8365eb1ea97e90e851d592b7f68e5d8aa62f39
SHA512 e1797442e4f73175ce8c7d017f2d4e846137435a4d066f094e0d0b6bab73f348d4c339b608fe3fed97e4d53e5da569e547c849bb9fb3f481841c194b4dd48568

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d3a7.TMP

MD5 90dd318d951c53b01b15fd03f5763647
SHA1 8c2b0ebb6e2a44eb9a37a5a639d52483e9d4e327
SHA256 cc1a7abc4eb2687fe10f9e4c08884ac0d2cd43047395ed5bcb109e6f1cf914f6
SHA512 673a66df0ad2a90a92edb9d4c7908ad90316aa7b8a1545f2bb17ca23325a4d726d97711739fa007c1a30e5ab58fc9e37ab38a3ca3f5a3011789a370c4d927ece

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2f60ee253ad11aac7a0401aea0865648
SHA1 09ff6b6dcfc5b78399c8ab7a1a45e3f3b70933a4
SHA256 005eb6b5ab77a814d0bc136fc732152611b071a9ae6963ecfc6946a804322725
SHA512 df6b05d27f0fd1af2c9b24cc12310f0476feedaf2d086828512eb74b1d499aa58a5f113be265f60702b76b51004207550f695ef7fb47b668c5ecff13110f72f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9bf46c264e770310e690f8c9e63503ec
SHA1 4d14edfdcc569e48d7ea2211fcb5b058523c3fe7
SHA256 995fe8153cc380608bf05296f7103619800643bce1403f3afa69cac5d13e9a3a
SHA512 08503452c58df70b1f28e18024da81f385b837f4fc21c25fec99eda90a3b828e94467ac873cdccbc74b7530cc7d8f52f60785df586872c84d0dfafd0f355c73d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0767594cffd53c5406244b297fbd7380
SHA1 73e686fba2455ca8f2cedcb24938059d76dc16ad
SHA256 5342f9e67298aa0ef849dd013025f8c2cc543de8db9b12f77b6f0db83a400093
SHA512 42607e7e82a17017543964b77ba788abf63815f37d011308ca61178bd896bc8cca19b4b6fd2bd1b21ff7b7ef384725f7ecf67d29356f38afb6b25b06459b7743

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 60d847f9f0511c1468ee14767ff98a7d
SHA1 2d8a4bfee09589fbbbcd5843bfc7f87c8c6a5928
SHA256 b6da67e66deeecf1e97560a3a3233ab07266e028e6b2a8ccfab0c40267357336
SHA512 6e55f3c89da340bbd37e751349118d57ded87264f9adc7f1d7662f4519f7bb30696a831bae9c74144b05c9d8983b6bef3c68773bd822cf4f51936f7811ff59c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e5b1cf57c49b951380b36eda1731eb63
SHA1 dfa24b362dbc876839e80d37fc36e771cf0efd78
SHA256 fa2e8434132d3ad91aab0d8c476b4aa5916f9d4ec6ee40255d568efe7815cd45
SHA512 a0c37346b024d9a6e62a82ac2cec8e4715a51dcd7fde96600e0af291e30e605ff4968e663d51bc19f050cf07426e1a93726278a80a6de2869d86b60889a89e7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 355e32fee51b140b803781e57d54e75f
SHA1 b50ac5b6aa492e64502ae545703ff9f516e2ec08
SHA256 04a26d88b4ab00b99bcfdfaf8cbc429634572aa57997b16f8289a4d6232d2daa
SHA512 84a5d34a3ea84004594ffa564374f72ccf764e6912c34c52a83f0b302f688cf5dbf0dd56fc26d8baea1c6acbbbccc97c30ed6f712d66c6e5481318b673a0ec3e