Malware Analysis Report

2025-08-10 23:43

Sample ID 231011-y6cbhsdc39
Target f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed
SHA256 f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed
Tags
amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor google discovery dropper evasion infostealer persistence phishing rat spyware stealer trojan breha kukish microsoft
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed

Threat Level: Known bad

The file f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor google discovery dropper evasion infostealer persistence phishing rat spyware stealer trojan breha kukish microsoft

SectopRAT payload

SmokeLoader

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Amadey

DcRat

Detected google phishing page

Detects Healer an antivirus disabler dropper

RedLine payload

SectopRAT

Downloads MZ/PE file

Uses the VBS compiler for execution

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:23

Reported

2023-10-12 15:03

Platform

win7-20230831-en

Max time kernel

151s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E489.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F00F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F3B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F80C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F80C.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8C2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E489.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C83F.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04daa241dfdd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{465AB131-6910-11EE-81AA-5EF5C936A496} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b000000000200000000001066000000010000200000004c767ad754ee61b979ba0af184062c91992a494372120ff276eb4ccff8145a09000000000e80000000020000200000008b32e11fb17ab324f2b3dc03c68d048e90bcbebf2de481e3c64b15a4cd40cf5b90000000bf07f48ba9e50bd6994f172ff9f30e416709c289173e642af5bd889e3b83f601e04958442e61d33dc030d9426eb13e2fbe2eaaf2a2ac6a0a34655cfc1aa83c0c866b37a1979f60b279a3f70eccb7326d4fc9640e34f0d44e5158f83ce9c774d84104c7bcb42a6d09964f83564a401700288a2c6797219c15df935295c7615aaa764473150f6ba8b6db0841b4f9bcaf1940000000e99a02795073f0553fae75caadb2c0f530320560b277697764e3d9dab4f2a10e299972234cf0dea3e2965f4b823dffd38dd1c77eaee2ae93b9517a2ed709f5db C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403284786" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47B639F1-6910-11EE-81AA-5EF5C936A496} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b000000000200000000001066000000010000200000003a2ba14026fe7c940fa63191ab63ed94d7e1ed22748b8171e550186219a3d2dd000000000e8000000002000020000000d8af9e88493882d5b491e70477d8bbabea14a3ac0ac52acab998e5408b228a8a200000001ea872ac594cb7c315591aa88ff1009f6ebac241db4f92068b9c5ae1d422baac4000000005e7ec90062ad7cc39a64930ff594c4ecc1d73837310cfc98e034c6bde950b2af4a487c8d4e6a5d56c79cac329b9ad631d93c6571297ecf743b5c5d48fa3fe8f C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\FEF0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\FEF0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\FEF0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\FEF0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E489.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FEF0.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1206.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F3B8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1376 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\SysWOW64\WerFault.exe
PID 1376 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\SysWOW64\WerFault.exe
PID 1376 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\SysWOW64\WerFault.exe
PID 1376 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\SysWOW64\WerFault.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe
PID 1348 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA52.exe
PID 1348 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA52.exe
PID 1348 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA52.exe
PID 1348 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA52.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 2136 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\C83F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 1348 wrote to memory of 2440 N/A N/A C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 2440 N/A N/A C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 2440 N/A N/A C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 864 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2460 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2392 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2440 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe

"C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 52

C:\Users\Admin\AppData\Local\Temp\C83F.exe

C:\Users\Admin\AppData\Local\Temp\C83F.exe

C:\Users\Admin\AppData\Local\Temp\CA52.exe

C:\Users\Admin\AppData\Local\Temp\CA52.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CB6C.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\D5F8.exe

C:\Users\Admin\AppData\Local\Temp\D5F8.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\E489.exe

C:\Users\Admin\AppData\Local\Temp\E489.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 48

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 36

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:340994 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\F00F.exe

C:\Users\Admin\AppData\Local\Temp\F00F.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\F3B8.exe

C:\Users\Admin\AppData\Local\Temp\F3B8.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\F80C.exe

C:\Users\Admin\AppData\Local\Temp\F80C.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\FEF0.exe

C:\Users\Admin\AppData\Local\Temp\FEF0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 48

C:\Users\Admin\AppData\Local\Temp\6AE.exe

C:\Users\Admin\AppData\Local\Temp\6AE.exe

C:\Users\Admin\AppData\Local\Temp\8C2.exe

C:\Users\Admin\AppData\Local\Temp\8C2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 524

C:\Users\Admin\AppData\Local\Temp\1206.exe

C:\Users\Admin\AppData\Local\Temp\1206.exe

C:\Users\Admin\AppData\Local\Temp\186D.exe

C:\Users\Admin\AppData\Local\Temp\186D.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {5D2820CF-CF41-4131-8727-4AB12DF0E1AF} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2912-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2912-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2912-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2912-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2912-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2912-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1348-5-0x00000000029B0000-0x00000000029C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C83F.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\C83F.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

\Users\Admin\AppData\Local\Temp\C83F.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\CA52.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\CA52.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\CB6C.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\CB6C.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\D5F8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\D5F8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\E489.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\E489.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1216-139-0x0000000000A40000-0x0000000000A4A000-memory.dmp

\Users\Admin\AppData\Local\Temp\CA52.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\CA52.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\CA52.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\F00F.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\CA52.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F00F.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{465AB131-6910-11EE-81AA-5EF5C936A496}.dat

MD5 772fc283773beb7d5fdc6949d8cebe2b
SHA1 a37588fff6513839ab1bb2ea378f32b9cb98af4f
SHA256 cefaf51d309d58ca97fd5bd53d24894e305a9f58399eff90efd4a2347adb05d6
SHA512 3b0b7301bc63fb930990799d754417eddd469fc25e1b1d7116a8bf9b09d5531ee4fe379d08320835b2dd830d37b63b6906156edb4d2e13e1d865016dc1de82cb

C:\Users\Admin\AppData\Local\Temp\F3B8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\F3B8.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/1216-180-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

memory/2396-183-0x0000000000260000-0x00000000002BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2396-184-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEF0.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/2396-196-0x0000000071B20000-0x000000007220E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\FEF0.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2424-198-0x0000000000DF0000-0x0000000000E0E000-memory.dmp

memory/2424-201-0x0000000071B20000-0x000000007220E000-memory.dmp

\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\Cab35D.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

\Users\Admin\AppData\Local\Temp\F80C.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/2424-217-0x0000000004C00000-0x0000000004C40000-memory.dmp

\Users\Admin\AppData\Local\Temp\D5F8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

\Users\Admin\AppData\Local\Temp\D5F8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

\Users\Admin\AppData\Local\Temp\D5F8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d6150dd7bc833c72411e09c33a3ced7
SHA1 cf260fbd230aaa635221cd9c2174cf216a4a094e
SHA256 377031767f20e817c4fe743058bea2be32bb9600e9d162a1eaaf3d6852f2038b
SHA512 3e6bdb8c91e76e77ed3eba199e989de90e3ecb7be91c7e589923022dda32edc0ec1995bc888657818954a5855539b4324ef8f55b1a1734c26648c931ed287088

\Users\Admin\AppData\Local\Temp\D5F8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\Tar55F.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d6150dd7bc833c72411e09c33a3ced7
SHA1 cf260fbd230aaa635221cd9c2174cf216a4a094e
SHA256 377031767f20e817c4fe743058bea2be32bb9600e9d162a1eaaf3d6852f2038b
SHA512 3e6bdb8c91e76e77ed3eba199e989de90e3ecb7be91c7e589923022dda32edc0ec1995bc888657818954a5855539b4324ef8f55b1a1734c26648c931ed287088

C:\Users\Admin\AppData\Local\Temp\6AE.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/2180-317-0x0000000000E50000-0x0000000000FA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8C2.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\8C2.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/2140-337-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2616-336-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2180-335-0x0000000000E50000-0x0000000000FA8000-memory.dmp

memory/2140-340-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2616-338-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2616-347-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2616-352-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-350-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/2180-351-0x0000000000E50000-0x0000000000FA8000-memory.dmp

memory/2616-349-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1216-365-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

memory/2616-369-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/2144-383-0x0000000000C90000-0x0000000000CEA000-memory.dmp

memory/2144-389-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/2144-412-0x0000000004370000-0x00000000043B0000-memory.dmp

memory/2616-413-0x0000000007460000-0x00000000074A0000-memory.dmp

memory/2396-414-0x0000000071B20000-0x000000007220E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/2424-485-0x0000000071B20000-0x000000007220E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2A2E.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/1216-658-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2A44.tmp

MD5 2775eb5221542da4b22f66e61d41781f
SHA1 a3c2b16a8e7fcfbaf4ee52f1e95ad058c02bf87d
SHA256 6115fffb123c6eda656f175c34bcdef65314e0bafc5697a18dc32aa02c7dd555
SHA512 fe8286a755949957ed52abf3a04ab2f19bdfddda70f0819e89e5cc5f586382a8bfbfad86196aa0f8572872cdf08a00c64a7321bbb0644db2bed705d3a0316b6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac29f965f5eda14976c82c7e670dc0cb
SHA1 f24b8faa9cceac5ac11aa780cda4442b6de6eb7e
SHA256 0385d729a8aa3ef3f0fd4854a5e241fc82f5f42a4a81c7cc31906d3d7001657e
SHA512 3907139eebf235550ed956172df3d8f5fa907d20446d49acf7bcc7f5df057d9e9c3b4e6669242be667a12213dafe8cf036e560a7686f38c4e6a9772792499fcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3b49296b64b595f0658f46706a770a5
SHA1 47d3716a21f78b2db17e5de9a78e76d5b6b9fac9
SHA256 6628db699ba25a5c2d7705fb7b2ba37bc56cce4a25c4459888db7ff7d2a71471
SHA512 88a2a0b87b7b9e57231f912c2c1447ecb7fc4770946b3924849f5f8e14d9704925d5f9139b50a0153d16acb77570cba7dd7333ec0400517d8a4360439b6e5377

memory/2140-763-0x0000000071B20000-0x000000007220E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3044804e57fe09581e33d4b36e9e35f8
SHA1 b947bdbd192c4fe0bf1149cadf4b1cf133b1d558
SHA256 5ceb930bf7587e016c02b5c4b607fd0d59fa11db959fd7506427d7e83772360c
SHA512 f92b61d154a6aa9730f65ee3ae68b54a09c7d739a16200c52e355537c236605c42dcfe375dab38f430865903901593926051bfd3fda5338428bd28d48d355651

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078ceb698bc36609e9a4bedb9879c000
SHA1 46fc11d143a7981f6677666da3a76851c224950b
SHA256 ce1f903431f7c2869cc888173dd095248581570a4c1f4499c8438c26f83bcebf
SHA512 19c7d67d4384038c258b837e8db5329adfe7e99cc79ddcb40b3ff7875f5e64a740d5310fab6ca33c402357d2840395b1e0d33def83e445e53bb9e7ce58c41ad7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39f92ae4f8d4068b26bce225faa7b10b
SHA1 b9bde306ba5b7eb5fc31276cf1ec417b47c96171
SHA256 c2d4b1832cbef45e30a9a6aaa69e29c37dbc347556ed54aaa1a475a44fc29aa9
SHA512 6b57806ab140b14774143c0be7cc3d137ecfe5d7b4d01edfee400180f830a353222b96b85ecc1f57938e621016370cc62a6e109823613001266275134b4172f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5b6105de9f2b82be09d6f4ceaa31f8d
SHA1 eca62e919bf924001ba68f50dab4c0aaa5638e0b
SHA256 e6274dedc5572139cb1a7580b2bdcc8c5222e31d822258bd8375a79f231ee440
SHA512 5fe92c3a8e00e954d76b45d167cb94d9169a4ec7c456d1975ee7fa0435aa7879e2354b6106b37829e12617195f8d25a41cb26b227484422b10d38ae4c7d5c142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33628baa3badaa13befd2bdb06c72164
SHA1 9c7741147691907c59267e68a2767640179e24e0
SHA256 5a5bb2665238055e0466a3830fcf4aa3a476753e2aea991f2da56f125489bd1e
SHA512 da1bd39cf67ab77a50d939ccdb9e1ced01277495675c909a0ec926f615821a7295d7f0661e1584a496cfa88519b2b9f66c2f3bca14fbd13093bfa56927d06e69

memory/2144-994-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/2616-993-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/2424-1041-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/2616-1141-0x0000000007460000-0x00000000074A0000-memory.dmp

memory/1752-1143-0x000000013F180000-0x000000013F47F000-memory.dmp

memory/572-1142-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/1752-1147-0x000000013F180000-0x000000013F47F000-memory.dmp

memory/572-1149-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/572-1150-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/572-1151-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/572-1146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/572-1145-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/2616-1152-0x0000000071B20000-0x000000007220E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 179933b1ef480cc7726b963b56b6c511
SHA1 5151b68ed752756f5130ee6a6d9d92690edd9d33
SHA256 f8a782469898e3e191adbfb6cd3ca3a981f5daa073981285fa4da4e8a3d45731
SHA512 41451158d25e5381603a6a15de4e0e9511b566533940cf1020885cd5d8ab67078555495bd7b81ce3b2e4968dcb3243cf1490b5c65e905affb94f4178be024230

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 4d9d67e84e2a8cf35cb04bcb22fa08fb
SHA1 ab94059a011582ca23356474a35dae407bce539f
SHA256 e5488acef8dd419bdab5722a1ee11030dab2638b1b274588296612c7918c0537
SHA512 a86fbb48be9072f8fef1c2971bf9bc0e765a1ac8ea39fb99b039abee4c6c943256b61ac9a61eeb9fcc802c3282f9a89ee79f4847f210e0876b88419b5422eaea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2e40c7b7060698bbb9b80cce6a33bdf
SHA1 499cf955fe77315ff37d38d746be0a8ce52243f9
SHA256 5801baf4d021603920ba0c9d1dd0ee445da6b468819e7fe026d4f72a65b756b8
SHA512 01396996d9282de64fb6023d0a48d6a229a71962302b4b0304acc40aea8ae50ee2b498e5b78919774921f7d49d9b5c4aef6e77b9ad8c4e1a77d6ab4b7746adcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0db3dc205de2535b7d205e870701235e
SHA1 73a7d72f55319ad7dacfe2b461f1eede28784489
SHA256 f0d4f56aaaf8ae58000b487a156127fd1eb0edc6d59a06d483bee7b2a2d66e97
SHA512 6615f229dd5095a14ba2ff25d57fef41a2dd028de966db8492256a0f21bc98b9f01cf064410a18f275593cc87e20a6d409185862955821fe58ba47ca0fea404e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a822c30e908aa3182b750a44a793cbab
SHA1 178f884e1cea5fdff53fd59a19a7cd088981831a
SHA256 8dce8b8c30a2c68d5b66ffe213d2df045987f2ebfba42b536dbe7fd0a22945b2
SHA512 37288fe5addae4870e045c1a003f1952936213514152d36b39c50e9ebb7ee036ed94fc63064f03a16f11b82003397cf5a25a6655cbf46f48bd3e111fc27af4fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de33881d9b38f056055fb7b7af6172bd
SHA1 ed41586dbc1d200ff0633c62d4e16ffc1ac52af4
SHA256 4a8db858931c375c61b3be32d26a676b795b4850a09ec26760cdc8440be479fb
SHA512 cac8add503dc62b65b9914a61be2633f6de6967f545f0c831833729d0de87ee20872d27e5177bc116fd4a8691bf2c047d8e5e72e425b1257161b24056d1e97cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cabde8e5124da6dcc1f7419e73c1441
SHA1 024abcc4076bbde037c5a49f55965e9cff310d14
SHA256 e5b3bc2a8007086b566b42e9cb8012519fef09bd0119c0b90cc877c37603ba17
SHA512 6233eb5c6ab067d9c1c66dad0d443704b76e8e65c1b906b0f2762a8b5023f68ab8295d8a0d3cd841d1708ccc2f8e44e6e39ec2082787a4cd0f7852367570a02b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9942c8ce98ce2038e0795e3e6428be
SHA1 3ce3ce72d9be81d0464416e19d7cd4d0e67367ff
SHA256 5c921ca0704816be8d4a0291c41abde7f2133099dab47c753b3f958c73ae1cae
SHA512 30b6f7adbdfc640c9b5d605604f0bd8d4e56e542e3d5ac57c873e6e2fd221ea84bbf194fe53e4bc00cd1a99b08972a8faecc549cc5c5cf4ecc48d092d73b3e27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 7c8f9df2f545e2e8f1f4351eecc62664
SHA1 9a93e93b65ce48d009ef2b25fd72148c8888aac4
SHA256 fa738f560e8798bd4c1b850a550e7ae2764fa0532130bb3de3b1ca6cea940986
SHA512 0b6c7d34d491b8f91a959648e40c531a49711455bdd21a5450d7f3012b37046a76fbfdb4f4a2869756cc4005150bc03ba8eedb3a6db1bc945f4779202a1c44ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 596f94beb5da3a008f84025845895762
SHA1 c75d1ddc7ba3dda6a0d82e173d1e8e31b5f15948
SHA256 88ebc0d5420c74c4b4151d975151c5c25c01fd5c54dc2b15f948965303264163
SHA512 dc7dbd6aa1144a64a5b1ef902d746ea12b5f69811edc3311d0d3a815de22f9d923c6d84532b0d67a6d7036598fa17facc187e27bb5f77823736b9955b01b97ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bc1dcd3fc22b2656f95eca57b68829e
SHA1 7cb1565f8365ed6e1ec882150d3b46aa399d0be0
SHA256 6f213dbed4bdf34603955e9f457798696e3ed4dfcd586b0dac96f7f5e5d877c3
SHA512 0dd8a717e918a8644feaa70a50207815c67f344c962f30e370392abd11b938351894feed0d9ce31c006d71917bdafbcdb8bc6b7f04996a5ebf8c01c416154ce7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74c0fff5fa9d199de0ff5e3a81bf33cf
SHA1 b9db556b6516fc8dea9b7316684155e8dbd1d9ba
SHA256 0805e71dcd5de3a3ab03b43106cd25968fd33fe954ff48776107a558bda3e8d2
SHA512 1bb09ba9971d3885960f2a4f695b2080a3849db776ccf461fb1b4a4ee3503b8910fe28c552ef8ea0aa3dc7fa67066f13a1aa4274ed05b7d5abb96a06e57728d1

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:23

Reported

2023-10-12 15:04

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3095.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\3095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\3095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3095.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3384.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3605.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\3095.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\29F9.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3095.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3605.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3796 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3796 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3796 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3796 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3796 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3276 wrote to memory of 4604 N/A N/A C:\Users\Admin\AppData\Local\Temp\29F9.exe
PID 3276 wrote to memory of 4604 N/A N/A C:\Users\Admin\AppData\Local\Temp\29F9.exe
PID 3276 wrote to memory of 4604 N/A N/A C:\Users\Admin\AppData\Local\Temp\29F9.exe
PID 3276 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\Temp\2BB0.exe
PID 3276 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\Temp\2BB0.exe
PID 3276 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\Temp\2BB0.exe
PID 4604 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\29F9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 4604 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\29F9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 4604 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\29F9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
PID 3276 wrote to memory of 4992 N/A N/A C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 4992 N/A N/A C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 928 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 928 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe
PID 2820 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2820 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 2820 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe
PID 4920 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 4920 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 4920 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe
PID 3276 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\2FB9.exe
PID 3276 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\2FB9.exe
PID 3276 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\2FB9.exe
PID 2968 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2968 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 2968 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe
PID 3276 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\Temp\3095.exe
PID 3276 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\Temp\3095.exe
PID 3276 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\3384.exe
PID 3276 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\3384.exe
PID 3276 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\3384.exe
PID 3276 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\3605.exe
PID 3276 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\3605.exe
PID 3276 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\3605.exe
PID 3276 wrote to memory of 3592 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 3276 wrote to memory of 3592 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 3276 wrote to memory of 3592 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 232 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\3384.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 232 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\3384.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 232 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\3384.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3276 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B47.exe
PID 3276 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B47.exe
PID 3276 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B47.exe
PID 5000 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\3605.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 5000 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\3605.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 5000 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\3605.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 4964 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3276 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\4124.exe
PID 3276 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\4124.exe
PID 3276 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\4124.exe
PID 4964 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\45E8.exe
PID 3276 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\45E8.exe
PID 3276 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\45E8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe

"C:\Users\Admin\AppData\Local\Temp\f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 236

C:\Users\Admin\AppData\Local\Temp\29F9.exe

C:\Users\Admin\AppData\Local\Temp\29F9.exe

C:\Users\Admin\AppData\Local\Temp\2BB0.exe

C:\Users\Admin\AppData\Local\Temp\2BB0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2CCA.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\2FB9.exe

C:\Users\Admin\AppData\Local\Temp\2FB9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\3095.exe

C:\Users\Admin\AppData\Local\Temp\3095.exe

C:\Users\Admin\AppData\Local\Temp\3384.exe

C:\Users\Admin\AppData\Local\Temp\3384.exe

C:\Users\Admin\AppData\Local\Temp\3605.exe

C:\Users\Admin\AppData\Local\Temp\3605.exe

C:\Users\Admin\AppData\Local\Temp\3913.exe

C:\Users\Admin\AppData\Local\Temp\3913.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\3B47.exe

C:\Users\Admin\AppData\Local\Temp\3B47.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\4124.exe

C:\Users\Admin\AppData\Local\Temp\4124.exe

C:\Users\Admin\AppData\Local\Temp\45E8.exe

C:\Users\Admin\AppData\Local\Temp\45E8.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3592 -ip 3592

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\4992.exe

C:\Users\Admin\AppData\Local\Temp\4992.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 792

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\57DB.exe

C:\Users\Admin\AppData\Local\Temp\57DB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec1f946f8,0x7ffec1f94708,0x7ffec1f94718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffec1f946f8,0x7ffec1f94708,0x7ffec1f94718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1296 -ip 1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec1f946f8,0x7ffec1f94708,0x7ffec1f94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=45E8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3940 -ip 3940

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 840 -ip 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 200

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 456 -ip 456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 236

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=45E8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec1f946f8,0x7ffec1f94708,0x7ffec1f94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4496071578161396027,2836024679528797114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
IE 34.254.142.64:443 mscom.demdex.net tcp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 64.142.254.34.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 52.168.112.66:443 browser.events.data.microsoft.com tcp
US 52.168.112.66:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/2256-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2256-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2256-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3276-2-0x00000000037D0000-0x00000000037E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29F9.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\29F9.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\2BB0.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\2BB0.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\2FB9.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\3095.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\3095.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\2FB9.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

memory/2152-63-0x0000000000F80000-0x0000000000F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\3384.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\3384.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2152-66-0x00007FFEB14D0000-0x00007FFEB1F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\2CCA.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\3605.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\3605.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\3913.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\3B47.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\3913.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\3B47.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\4124.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/4308-108-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/3592-107-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2564-112-0x0000000000DD0000-0x0000000000F28000-memory.dmp

memory/4308-111-0x0000000071FC0000-0x0000000072770000-memory.dmp

memory/3592-104-0x0000000001F90000-0x0000000001FEA000-memory.dmp

memory/3592-117-0x0000000071FC0000-0x0000000072770000-memory.dmp

memory/4308-119-0x0000000005340000-0x0000000005958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4124.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\45E8.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/4308-122-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4992.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/4168-127-0x0000000000850000-0x00000000008AA000-memory.dmp

memory/4168-129-0x0000000071FC0000-0x0000000072770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45E8.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/4308-131-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/4308-130-0x0000000004D20000-0x0000000004D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4992.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/4308-121-0x0000000004C50000-0x0000000004C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3913.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\3913.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4168-132-0x0000000007B40000-0x00000000080E4000-memory.dmp

memory/4168-133-0x0000000007670000-0x0000000007702000-memory.dmp

memory/2376-134-0x0000000001F80000-0x0000000001FDA000-memory.dmp

memory/4168-135-0x0000000007640000-0x000000000764A000-memory.dmp

memory/2152-137-0x00007FFEB14D0000-0x00007FFEB1F91000-memory.dmp

memory/2376-139-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4168-141-0x00000000080F0000-0x00000000081FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57DB.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/2152-146-0x00007FFEB14D0000-0x00007FFEB1F91000-memory.dmp

memory/2564-150-0x0000000000DD0000-0x0000000000F28000-memory.dmp

memory/916-149-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4168-155-0x0000000008200000-0x0000000008266000-memory.dmp

memory/2564-156-0x0000000000DD0000-0x0000000000F28000-memory.dmp

memory/4308-157-0x0000000071FC0000-0x0000000072770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/3592-166-0x0000000071FC0000-0x0000000072770000-memory.dmp

memory/4168-167-0x0000000071FC0000-0x0000000072770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/1060-169-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/1060-174-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1060-178-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4308-179-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/1060-180-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

\??\pipe\LOCAL\crashpad_516_QQNPBWNIWXQXPYIE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8db7b1691358199160663573be7f79ba
SHA1 e5fcc2e8502a9569affd12820d28311373314c16
SHA256 844072025f50ed613aa84cb59329ba214532147d2806bfff9453a579ab9dca04
SHA512 351d63b3fbff66cbcd8258c85af409de16bc67fc2009343929e47bf371e15d9379ce9e798326859a2837fa4b021d6d473655f573f28dd620c91c9bce9214feca

memory/4632-190-0x00007FF6C2230000-0x00007FF6C252F000-memory.dmp

memory/4168-205-0x0000000007870000-0x0000000007880000-memory.dmp

memory/4308-206-0x0000000006240000-0x0000000006402000-memory.dmp

memory/4308-209-0x0000000006940000-0x0000000006E6C000-memory.dmp

memory/1060-211-0x0000000000400000-0x0000000000433000-memory.dmp

memory/840-215-0x0000000000400000-0x0000000000433000-memory.dmp

memory/840-216-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/840-218-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5560-229-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4308-230-0x0000000006690000-0x0000000006706000-memory.dmp

memory/5560-231-0x0000000071FC0000-0x0000000072770000-memory.dmp

memory/5560-234-0x0000000007520000-0x0000000007530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

MD5 0e19769e1f0bb8e5ad0a561189fa67d8
SHA1 e96e111d73329225611a553118878ddc92816230
SHA256 4878678d86879b014280fb0c1479968f25d50e2aeadc30ef1e306ec58d06fbeb
SHA512 e52ff5acc44ca82700927292f33c1c098c67e7196bff5712020ca459ff65fdb44d9ce36a0fbbc98f782b30247ff81ebd62815db9c291af8aebbc44e73a889bcf

memory/4308-236-0x0000000006810000-0x000000000682E000-memory.dmp

memory/5776-237-0x0000000000AF0000-0x0000000000B2E000-memory.dmp

memory/5776-238-0x0000000071FC0000-0x0000000072770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yu966Qp.exe

MD5 0e19769e1f0bb8e5ad0a561189fa67d8
SHA1 e96e111d73329225611a553118878ddc92816230
SHA256 4878678d86879b014280fb0c1479968f25d50e2aeadc30ef1e306ec58d06fbeb
SHA512 e52ff5acc44ca82700927292f33c1c098c67e7196bff5712020ca459ff65fdb44d9ce36a0fbbc98f782b30247ff81ebd62815db9c291af8aebbc44e73a889bcf

memory/5900-241-0x0000000000830000-0x0000000000863000-memory.dmp

memory/5776-250-0x0000000007920000-0x0000000007930000-memory.dmp

memory/5900-249-0x0000000000830000-0x0000000000863000-memory.dmp

memory/5900-252-0x0000000000830000-0x0000000000863000-memory.dmp

memory/4632-251-0x00007FF6C2230000-0x00007FF6C252F000-memory.dmp

memory/5900-257-0x0000000000830000-0x0000000000863000-memory.dmp

memory/4168-264-0x0000000009920000-0x0000000009970000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8513cc00bcd0ca45da76105bc5742226
SHA1 a85aa139570e3093c901a3247b4b2a84714d671d
SHA256 093df69353b2df2e1dfd87c12ffd302dbb3f7202b4f7155afd11f1b1c54c879c
SHA512 251e770595d5dc17e74f992c8294b5336c8f20f24086725f570c6bc4402858225bbf734d7359478161adfbea309255ce5bdbc8114f59402bfe5a3ff9412f96c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/5900-270-0x0000000000830000-0x0000000000863000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a5687e68f5817f478f2e750d31e6230
SHA1 6f136e33d99e85e1d614ce206f51f06e30e99ca2
SHA256 771f44c7f3c653c671f04f9486c7bb730a947f402e5ae76a8310a1ac6cd68573
SHA512 75bf65252ca94ec432f4eee4fc0a00a4933d99f2d6e4d3d9f36ce2876c314f855b87c2471becd11be93ad4d0bd202b48609058a6ae19f764df74ac78feb1ccd0

C:\Users\Admin\AppData\Local\Temp\tmpADE0.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Temp\tmpAFAB.tmp

MD5 8395952fd7f884ddb74e81045da7a35e
SHA1 f0f7f233824600f49147252374bc4cdfab3594b9
SHA256 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58
SHA512 ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd

C:\Users\Admin\AppData\Local\Temp\tmpB0A1.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpB0C6.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8513cc00bcd0ca45da76105bc5742226
SHA1 a85aa139570e3093c901a3247b4b2a84714d671d
SHA256 093df69353b2df2e1dfd87c12ffd302dbb3f7202b4f7155afd11f1b1c54c879c
SHA512 251e770595d5dc17e74f992c8294b5336c8f20f24086725f570c6bc4402858225bbf734d7359478161adfbea309255ce5bdbc8114f59402bfe5a3ff9412f96c1

C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpB194.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/4308-508-0x0000000071FC0000-0x0000000072770000-memory.dmp

memory/5560-511-0x0000000071FC0000-0x0000000072770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

memory/5560-522-0x0000000007520000-0x0000000007530000-memory.dmp

memory/4168-527-0x0000000071FC0000-0x0000000072770000-memory.dmp

memory/5776-529-0x0000000071FC0000-0x0000000072770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5776-548-0x0000000007920000-0x0000000007930000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cd8aa9f344818284077d46b4907ec9e4
SHA1 b4c67e49655ee4cd02990f819e7f1cc7e9dbfa7d
SHA256 c64b85a03bf021f928311bfabf5970bf5fd16fb945cf73092d88fd87a843ca38
SHA512 54387936b18c85d0c370c5adfccb6a0192808d56b3889749defaeedba327b5f5019b7b9f015c4da4de7e76a981a3327a234fd23083e062c6c91994c98a132e9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f75deb23d8f6666a8c28d305f798d365
SHA1 324ef323494d0609d3741bb1c757621e504664d5
SHA256 ecacabdddc6a31fa26d87e984c794cd7d4c3ea55a71b41f52dfe7ad6118c6777
SHA512 eb7b76b98d828ed67e04a45d38e63c6f0b3122ada04d067fee5821fd1b820f8edc65f91771df824c2ba4b99297d5e966073174ab0696cfd126b5a46220c31659

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b9fab4ea3e6b67f9bad800de0027605e
SHA1 056d7ddaafaa65bdde7b9e86cab6660d7f1543e8
SHA256 3aee85d9cc77e9b56a39ed6955fde3646369072937c1002cda3c1169c70ec6f0
SHA512 caee9a91bd3cf1381328b94ab7b59e9abd503f0f951266be046e736f2060aa768c3d47c66db941ecd6e225a2ed3bcc093d24fefdffe23e11b24f8d923012cf54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58dafa.TMP

MD5 e99ecec05f1134483155749b1a969861
SHA1 5a1baaef44d9b46842f62614d8137378246fa790
SHA256 7a53796e587b9975b6dc25fa544e5067149e26e6af7de27a003ec36391ff128e
SHA512 1fed487ada5a3be429b1255e8a73102d0759dc78cbe3904b737dd7df990d941cc79dbf894f24796af5ab017900794325fe2ba12b5226d4e5985b635a4754305a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 824c5a1dad3c42ada8b8ce4b1a74ebe4
SHA1 d2dea9ab4015bbd3be1c9fd52137222c196eb8c3
SHA256 3ce5b8281564b3fd26679c0c0e38d21af56ac48ccbac6c86d5430ff571e7de61
SHA512 532cf6a9f48bea79cc827c01031faf901d4a562630f101ae2a086ff9f2a670ae68716e1fad8babafc447a3d4f6dbddf218ac97bd431f3a44300f99dd6a34690e

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e6996f372f8907732b5c28970c63d0cb
SHA1 f79e124bbc3882fb68301e08428b27fcfd3c97bf
SHA256 e4968494cc305c6f9d8c8c7246d860e3c31ca071d197bd99082611b49b03d1c5
SHA512 8aa69673c023d1d3afca384924526e5746e84986bddb562176ec351d149d2fefb71c20da106f18166359266207c2a24b5bd53cd61ef2793aa850126026384ae7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7e211698efbebec4ce5f3c0096bb8ab1
SHA1 50df8d569e18a7b42fd30a50c5853f7186d940a4
SHA256 c404c28293ef3805c8762b3d3207870162237d5e2ce3bd4a0d8c498094040bd3
SHA512 66d36a1ff0b9ddbc46fdd0e46dda9394017acc583a0638edb0b477d9b5867b73a93ba28c17133c5f726736503f3c513432b13ae848d415113e76ad172248d4b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5dc129d58bec46c4d1848c0d0d39310d
SHA1 2ba7b70a40d9153f4c476cb6f3307caeee8b713d
SHA256 145727730267e11d1c8a742c8f37db801827fead88a5fdf8fef28b37b90d4aa8
SHA512 c76da4a65b3c1f001cf111292b06a0fb4bfb84259d20b22f9a537fa642690c1c17c1165354c7fe9dbd84265fe597272f1fb79d206487087b9e68ca45055361ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 06c515c059bf7b5d03c031e6093a7a7d
SHA1 919fa8804f09c47ceed63127e8de1f491fb3a060
SHA256 13702103f99f4964d7407e7b6cd0bc0727cfbe142dc7e58f6f718a5edcaa1a36
SHA512 3c1b775a93f4c343410a28d812c22d3361ec034e5fb775be69a4610417bd29274c54c0e25db94c4e9593c1cfe7e23d94817d42b8b640ff030d5fdf2fa0c1fc03