Malware Analysis Report

2025-08-10 23:42

Sample ID 231011-y81rwsbf9t
Target 8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f
SHA256 8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f
Tags
amadey healer redline smokeloader backdoor dropper infostealer persistence trojan dcrat sectoprat @ytlogsbot breha kukish pixelscloud microsoft discovery evasion phishing rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f

Threat Level: Known bad

The file 8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader backdoor dropper infostealer persistence trojan dcrat sectoprat @ytlogsbot breha kukish pixelscloud microsoft discovery evasion phishing rat spyware stealer

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Amadey

SectopRAT payload

SmokeLoader

SectopRAT

DcRat

Detects Healer an antivirus disabler dropper

Downloads MZ/PE file

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:28

Reported

2023-10-12 15:24

Platform

win7-20230831-en

Max time kernel

254s

Max time network

290s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\EE55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2756 set thread context of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5EB3AA40-6913-11EE-B046-FAEDD45E79E3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\121E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5567.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\SysWOW64\WerFault.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 1184 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\EE55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 1184 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB03.exe
PID 1184 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB03.exe
PID 1184 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB03.exe
PID 1184 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB03.exe
PID 1184 wrote to memory of 328 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 328 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 328 N/A N/A C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2016 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 1184 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0.exe
PID 1184 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0.exe
PID 1184 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0.exe
PID 1184 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0.exe
PID 2732 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2732 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2732 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2732 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe

"C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 52

C:\Users\Admin\AppData\Local\Temp\EE55.exe

C:\Users\Admin\AppData\Local\Temp\EE55.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

C:\Users\Admin\AppData\Local\Temp\FB03.exe

C:\Users\Admin\AppData\Local\Temp\FB03.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCC8.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

C:\Users\Admin\AppData\Local\Temp\A0.exe

C:\Users\Admin\AppData\Local\Temp\A0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 48

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 48

C:\Users\Admin\AppData\Local\Temp\121E.exe

C:\Users\Admin\AppData\Local\Temp\121E.exe

C:\Users\Admin\AppData\Local\Temp\4A4E.exe

C:\Users\Admin\AppData\Local\Temp\4A4E.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\5567.exe

C:\Users\Admin\AppData\Local\Temp\5567.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\8962.exe

C:\Users\Admin\AppData\Local\Temp\8962.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp

Files

memory/2784-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2784-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2784-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2784-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2784-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-5-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/2784-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE55.exe

MD5 17ca01af6078ab82d5be176302982cb2
SHA1 96785e9d0a7e7dc2af324eadb86d3468079fa16b
SHA256 d257a38ff652ab96cb06ffa273b6855fd6c3ad3656b4ff21886fd9bd5456843f
SHA512 18f98fc36eeb1f5fd0d866f6942ca1f1246e938f72a010e49c612b5da0de803ec98a165c2372491e491ad4a2208b4635a17cd6e8b01e534e53b61d9b88ca0611

C:\Users\Admin\AppData\Local\Temp\EE55.exe

MD5 17ca01af6078ab82d5be176302982cb2
SHA1 96785e9d0a7e7dc2af324eadb86d3468079fa16b
SHA256 d257a38ff652ab96cb06ffa273b6855fd6c3ad3656b4ff21886fd9bd5456843f
SHA512 18f98fc36eeb1f5fd0d866f6942ca1f1246e938f72a010e49c612b5da0de803ec98a165c2372491e491ad4a2208b4635a17cd6e8b01e534e53b61d9b88ca0611

\Users\Admin\AppData\Local\Temp\EE55.exe

MD5 17ca01af6078ab82d5be176302982cb2
SHA1 96785e9d0a7e7dc2af324eadb86d3468079fa16b
SHA256 d257a38ff652ab96cb06ffa273b6855fd6c3ad3656b4ff21886fd9bd5456843f
SHA512 18f98fc36eeb1f5fd0d866f6942ca1f1246e938f72a010e49c612b5da0de803ec98a165c2372491e491ad4a2208b4635a17cd6e8b01e534e53b61d9b88ca0611

\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

C:\Users\Admin\AppData\Local\Temp\FB03.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

C:\Users\Admin\AppData\Local\Temp\FB03.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

C:\Users\Admin\AppData\Local\Temp\FCC8.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\FCC8.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

C:\Users\Admin\AppData\Local\Temp\A0.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\A0.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\FB03.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\FB03.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\FB03.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\FB03.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\A0.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

\Users\Admin\AppData\Local\Temp\A0.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

\Users\Admin\AppData\Local\Temp\A0.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

\Users\Admin\AppData\Local\Temp\A0.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\121E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\121E.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1572-141-0x00000000002A0000-0x00000000002AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\4A4E.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\4A4E.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1572-151-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5567.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/984-156-0x0000000001D20000-0x0000000001D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8962.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\8962.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/1968-163-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1572-164-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/1968-165-0x00000000002D0000-0x000000000032A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:28

Reported

2023-10-12 15:20

Platform

win10v2004-20230915-en

Max time kernel

154s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B17E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B3D0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1E9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1A.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B6CF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C2F7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DA0C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yG544kv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fjfaiiv N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C2F7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C2F7.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 872 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 872 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 872 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 872 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 872 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2684 wrote to memory of 3872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe
PID 2684 wrote to memory of 3872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe
PID 2684 wrote to memory of 3872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe
PID 2684 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1E9.exe
PID 2684 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1E9.exe
PID 2684 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1E9.exe
PID 3872 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\9083.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe
PID 3872 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\9083.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe
PID 3872 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\9083.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe
PID 2684 wrote to memory of 5100 N/A N/A C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 5100 N/A N/A C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe
PID 4416 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe
PID 4416 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe
PID 4704 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe
PID 4704 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe
PID 4704 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe
PID 2856 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe
PID 2856 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe
PID 2856 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe
PID 2684 wrote to memory of 4264 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1A.exe
PID 2684 wrote to memory of 4264 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1A.exe
PID 2684 wrote to memory of 4264 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1A.exe
PID 3424 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe
PID 3424 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe
PID 3424 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe
PID 2684 wrote to memory of 404 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 404 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 3368 N/A N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe
PID 2684 wrote to memory of 3368 N/A N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe
PID 2684 wrote to memory of 3368 N/A N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe
PID 2684 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe
PID 2684 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe
PID 2684 wrote to memory of 1288 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe
PID 3368 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3368 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3368 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\B17E.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2684 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6CF.exe
PID 2684 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6CF.exe
PID 2684 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6CF.exe
PID 2684 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B902.exe
PID 2684 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B902.exe
PID 2684 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B902.exe
PID 1196 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1288 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1288 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\B3D0.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1196 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe
PID 2684 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe
PID 2684 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe
PID 2684 wrote to memory of 548 N/A N/A C:\Users\Admin\AppData\Local\Temp\C2F7.exe
PID 2684 wrote to memory of 548 N/A N/A C:\Users\Admin\AppData\Local\Temp\C2F7.exe
PID 2684 wrote to memory of 548 N/A N/A C:\Users\Admin\AppData\Local\Temp\C2F7.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe

"C:\Users\Admin\AppData\Local\Temp\8da313e45a206fec25907770fe737aa1a5dea1d5cd934924758401930a8c147f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 872 -ip 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 236

C:\Users\Admin\AppData\Local\Temp\9083.exe

C:\Users\Admin\AppData\Local\Temp\9083.exe

C:\Users\Admin\AppData\Local\Temp\A1E9.exe

C:\Users\Admin\AppData\Local\Temp\A1E9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB02.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe

C:\Users\Admin\AppData\Local\Temp\AF1A.exe

C:\Users\Admin\AppData\Local\Temp\AF1A.exe

C:\Users\Admin\AppData\Local\Temp\B006.exe

C:\Users\Admin\AppData\Local\Temp\B006.exe

C:\Users\Admin\AppData\Local\Temp\B17E.exe

C:\Users\Admin\AppData\Local\Temp\B17E.exe

C:\Users\Admin\AppData\Local\Temp\B3D0.exe

C:\Users\Admin\AppData\Local\Temp\B3D0.exe

C:\Users\Admin\AppData\Local\Temp\B6CF.exe

C:\Users\Admin\AppData\Local\Temp\B6CF.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\B902.exe

C:\Users\Admin\AppData\Local\Temp\B902.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

C:\Users\Admin\AppData\Local\Temp\C2F7.exe

C:\Users\Admin\AppData\Local\Temp\C2F7.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\C8E4.exe

C:\Users\Admin\AppData\Local\Temp\C8E4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe404946f8,0x7ffe40494708,0x7ffe40494718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 140

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4816 -ip 4816

C:\Users\Admin\AppData\Local\Temp\DA0C.exe

C:\Users\Admin\AppData\Local\Temp\DA0C.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2124 -ip 2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B6CF.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe404946f8,0x7ffe40494708,0x7ffe40494718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yG544kv.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yG544kv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe404946f8,0x7ffe40494708,0x7ffe40494718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4264 -ip 4264

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B6CF.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe404946f8,0x7ffe40494708,0x7ffe40494718

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16502658985501229507,9323170001815408095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Roaming\fjfaiiv

C:\Users\Admin\AppData\Roaming\fjfaiiv

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 34.249.203.210:443 mscom.demdex.net tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 210.203.249.34.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 20.189.173.7:443 browser.events.data.microsoft.com tcp
US 20.189.173.7:443 browser.events.data.microsoft.com tcp
US 20.189.173.7:443 browser.events.data.microsoft.com tcp
US 20.189.173.7:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.250.179.141:443 accounts.google.com udp

Files

memory/4940-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4940-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2684-2-0x0000000003500000-0x0000000003516000-memory.dmp

memory/4940-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9083.exe

MD5 4daecf597a2dd31dfb503f03d8066da5
SHA1 dfe9e91e51bd8772494fd47ff1f49efff7a5f2fe
SHA256 78e2c4ad5bd7d9203cf3b62532d0200d1d2d8cea1eb364c780eb0b502920ace1
SHA512 031ba5853cb526a8ff25817038c91389a69e49bf9690d90071ed3f6b31be1e16daaf4f4beac5a838a94b0c7b9ac6f4fd23345a8fdb6593331c00b2b7c61a2836

C:\Users\Admin\AppData\Local\Temp\9083.exe

MD5 4daecf597a2dd31dfb503f03d8066da5
SHA1 dfe9e91e51bd8772494fd47ff1f49efff7a5f2fe
SHA256 78e2c4ad5bd7d9203cf3b62532d0200d1d2d8cea1eb364c780eb0b502920ace1
SHA512 031ba5853cb526a8ff25817038c91389a69e49bf9690d90071ed3f6b31be1e16daaf4f4beac5a838a94b0c7b9ac6f4fd23345a8fdb6593331c00b2b7c61a2836

C:\Users\Admin\AppData\Local\Temp\A1E9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe

MD5 93eca4fbb38e680273d719c5461eb9dd
SHA1 e9efcc3eba4a0e7ada5b9384b31afd4f9078fafa
SHA256 5e9120ad469565e0614de446c6ee641fd860afd734a37d7ab60f29e6398c3514
SHA512 17753661bb12893c20851b5715aab8f36eda21abbbf8995f1faf3288c50f114c66502dc61774f605f5f698de4235cce7c58fd3faf267027f3228b637487284d9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jQ1Mr4Mt.exe

MD5 93eca4fbb38e680273d719c5461eb9dd
SHA1 e9efcc3eba4a0e7ada5b9384b31afd4f9078fafa
SHA256 5e9120ad469565e0614de446c6ee641fd860afd734a37d7ab60f29e6398c3514
SHA512 17753661bb12893c20851b5715aab8f36eda21abbbf8995f1faf3288c50f114c66502dc61774f605f5f698de4235cce7c58fd3faf267027f3228b637487284d9

C:\Users\Admin\AppData\Local\Temp\A1E9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe

MD5 ecdc17897ca326301560784d0c964317
SHA1 4be4d648d480b29e0a92a1760aabad538f47766e
SHA256 3e067a08ce9d8da313102955d1d5133e7add6753ae8cdd3274fc471ae6743b48
SHA512 3a11ae20866b3e5b0408216868b4468a14e68670d586c519796cdf2d5aed8d907171ed8bcd93a7e7fd0906d7473c20e9f3ea31f41ef19f50dbc4eca8fe191b6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx2Ha8Yf.exe

MD5 ecdc17897ca326301560784d0c964317
SHA1 4be4d648d480b29e0a92a1760aabad538f47766e
SHA256 3e067a08ce9d8da313102955d1d5133e7add6753ae8cdd3274fc471ae6743b48
SHA512 3a11ae20866b3e5b0408216868b4468a14e68670d586c519796cdf2d5aed8d907171ed8bcd93a7e7fd0906d7473c20e9f3ea31f41ef19f50dbc4eca8fe191b6d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe

MD5 e87b59ab8ed79bad6f01e2ede94fd7ab
SHA1 f04548e4f693ac87e5f82a09592f6161278e4b82
SHA256 b041155dfecd86a847e9bf49cafc8cf2bce0a21e414c1a443f70f33ff86abbef
SHA512 760a6dfe218d21b35ae1fab0ab68093a7886a24af85f6dc629773856330b0482f07233bccd6cdb76c2722d832dabb28598fab7fdd5dc78ae9c59288a5f5390ac

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nD5Mc7XS.exe

MD5 e87b59ab8ed79bad6f01e2ede94fd7ab
SHA1 f04548e4f693ac87e5f82a09592f6161278e4b82
SHA256 b041155dfecd86a847e9bf49cafc8cf2bce0a21e414c1a443f70f33ff86abbef
SHA512 760a6dfe218d21b35ae1fab0ab68093a7886a24af85f6dc629773856330b0482f07233bccd6cdb76c2722d832dabb28598fab7fdd5dc78ae9c59288a5f5390ac

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe

MD5 c7af0ffee19f59e58e20cde9d8d2f6a7
SHA1 49005a245c761ed95df372c3a3ac4e39015f8ef4
SHA256 060d05dfb9fc43b79d6b76208a55f3d734f1f8eaf5c0f25b199ad3059e0a84ce
SHA512 b29c062bf71a1b6da5cf1552d4bb4a7dd319f512eec8f282f59a20d1fafc703f21a901cce48c85ecfef40cfcd70c1e1fbd305d41afa14289a6460ab6812df2e9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TW2av6xe.exe

MD5 c7af0ffee19f59e58e20cde9d8d2f6a7
SHA1 49005a245c761ed95df372c3a3ac4e39015f8ef4
SHA256 060d05dfb9fc43b79d6b76208a55f3d734f1f8eaf5c0f25b199ad3059e0a84ce
SHA512 b29c062bf71a1b6da5cf1552d4bb4a7dd319f512eec8f282f59a20d1fafc703f21a901cce48c85ecfef40cfcd70c1e1fbd305d41afa14289a6460ab6812df2e9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe

MD5 262dff4e232e0d653c52e19191c15a48
SHA1 28957a144eafa406a307615028ef3d9199aff0ab
SHA256 6e56893984cfbf21701acea05d9a3b8c6238ddc4644fc9e8397e691004e09d0f
SHA512 8cb7b38832afe3b0a35a25ac08439b98aad8eed91e98cc7502e8c05bfa82c9934b91a400ab15fe3446ef93be96e5c6a5f6f47533d032e58109cabe82d725cdd4

C:\Users\Admin\AppData\Local\Temp\AF1A.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

memory/404-62-0x0000000000970000-0x000000000097A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B006.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\B006.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vt02Wg7.exe

MD5 262dff4e232e0d653c52e19191c15a48
SHA1 28957a144eafa406a307615028ef3d9199aff0ab
SHA256 6e56893984cfbf21701acea05d9a3b8c6238ddc4644fc9e8397e691004e09d0f
SHA512 8cb7b38832afe3b0a35a25ac08439b98aad8eed91e98cc7502e8c05bfa82c9934b91a400ab15fe3446ef93be96e5c6a5f6f47533d032e58109cabe82d725cdd4

C:\Users\Admin\AppData\Local\Temp\AF1A.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

C:\Users\Admin\AppData\Local\Temp\B17E.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\B17E.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/404-69-0x00007FFE36210000-0x00007FFE36CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB02.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\B3D0.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B3D0.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\B6CF.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B902.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\B6CF.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4548-104-0x0000000000110000-0x000000000012E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\B902.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/4548-106-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/4548-111-0x00000000049A0000-0x00000000049B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\C2F7.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/4548-119-0x0000000004A00000-0x0000000004A3C000-memory.dmp

memory/5108-110-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2872-107-0x0000000000B40000-0x0000000000C98000-memory.dmp

memory/5108-109-0x00000000020A0000-0x00000000020FA000-memory.dmp

memory/4548-120-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4548-108-0x0000000005130000-0x0000000005748000-memory.dmp

memory/4548-121-0x0000000004A40000-0x0000000004A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8E4.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/720-127-0x00000000723A0000-0x0000000072B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C2F7.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/4548-129-0x0000000004CA0000-0x0000000004DAA000-memory.dmp

memory/720-126-0x0000000000DF0000-0x0000000000E4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8E4.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/720-130-0x00000000080A0000-0x0000000008644000-memory.dmp

memory/720-131-0x0000000007BD0000-0x0000000007C62000-memory.dmp

memory/720-132-0x0000000007D70000-0x0000000007D80000-memory.dmp

memory/720-133-0x0000000007D90000-0x0000000007D9A000-memory.dmp

memory/548-134-0x0000000000520000-0x000000000057A000-memory.dmp

memory/548-135-0x0000000000400000-0x000000000046F000-memory.dmp

memory/548-139-0x00000000723A0000-0x0000000072B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C2F7.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\C2F7.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/720-142-0x0000000008780000-0x00000000087E6000-memory.dmp

memory/404-144-0x00007FFE36210000-0x00007FFE36CD1000-memory.dmp

memory/4528-145-0x0000000000770000-0x00000000007AE000-memory.dmp

memory/2872-147-0x0000000000B40000-0x0000000000C98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA0C.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/404-153-0x00007FFE36210000-0x00007FFE36CD1000-memory.dmp

memory/1556-155-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1556-156-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4528-157-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/2872-160-0x0000000000B40000-0x0000000000C98000-memory.dmp

memory/1556-161-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1556-159-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/4528-168-0x0000000007670000-0x0000000007680000-memory.dmp

memory/4548-167-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/2124-173-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2124-172-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1556-174-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2124-176-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4548-187-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4548-191-0x0000000005FA0000-0x0000000006162000-memory.dmp

\??\pipe\LOCAL\crashpad_2780_ESEMUOHHGVVTLUAU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4440-193-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4548-192-0x00000000066A0000-0x0000000006BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/720-196-0x00000000723A0000-0x0000000072B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yG544kv.exe

MD5 0e3b0fb5f1507fb187e678cc24ed088f
SHA1 b34a2460545e5fee0e256d157c8a89150e7f8fc4
SHA256 c22cb222976ee0b1f8bd96b1f10154e1285e354b4481961036c2392c456f94b2
SHA512 ee9f6aa0a5e9f9637d9f0ed9d493bc52d9cd711ab32ed84ef29c919744afeb191b83b94990b673d20f83111365f789cb2f5233dfc60281714ebe950231f2cd51

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yG544kv.exe

MD5 0e3b0fb5f1507fb187e678cc24ed088f
SHA1 b34a2460545e5fee0e256d157c8a89150e7f8fc4
SHA256 c22cb222976ee0b1f8bd96b1f10154e1285e354b4481961036c2392c456f94b2
SHA512 ee9f6aa0a5e9f9637d9f0ed9d493bc52d9cd711ab32ed84ef29c919744afeb191b83b94990b673d20f83111365f789cb2f5233dfc60281714ebe950231f2cd51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 27ce62424bccd3aa700543461a3d670b
SHA1 9a5ff262fe36d44f89428d75a92da41186186129
SHA256 3157980444ae93632d784537135ef3e6422a510277009e46e580ea21b62f6a06
SHA512 63163ca523a41ff235984b0d4ca9c7fad7db1e6938fd10ef2408ad8b1aad9f1f2266d65b2c1fcc701df8e1135a2e6838bfb034d675d733fb3f1c92a9a6faca06

memory/4440-199-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/720-215-0x0000000007D70000-0x0000000007D80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/4440-220-0x0000000007C90000-0x0000000007CA0000-memory.dmp

memory/4636-219-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/548-225-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/4636-226-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/4636-216-0x0000000000470000-0x00000000004AE000-memory.dmp

memory/4716-229-0x00007FF664490000-0x00007FF66478F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/4528-235-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/4716-258-0x00007FF664490000-0x00007FF66478F000-memory.dmp

memory/1744-261-0x0000000001200000-0x0000000001233000-memory.dmp

memory/4528-268-0x0000000007670000-0x0000000007680000-memory.dmp

memory/1744-269-0x0000000001200000-0x0000000001233000-memory.dmp

memory/1744-248-0x0000000001200000-0x0000000001233000-memory.dmp

memory/1744-247-0x0000000001200000-0x0000000001233000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e7ff93f324ff273c4f674f406ad28e70
SHA1 aa14a70afbd18d062dbaa1fc76144919a6c454c7
SHA256 512765ca5ea31caa8e489136e10070ce332476b1528f5b1f7d665461116ca366
SHA512 8fb612b0d2755a6837b1c628af6ec720230c5d648e7b0c1b25fb1fc7b30fd44edd39c26236b3a75c4a20fd72ef1cb79e435f4f93845d7a70e46fa1cd9c459bd1

memory/1744-281-0x0000000001200000-0x0000000001233000-memory.dmp

memory/4440-282-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/4636-283-0x00000000723A0000-0x0000000072B50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 97f4df87b0efb432641bf43690656c62
SHA1 e59073792cf489b7a077d852ed79a281180de3de
SHA256 685550ba938ce440c84776ae3116509522de5e7a5c92be2357b8ed1777f71349
SHA512 afa0724f1be8c5c202464b2d15f832c9332f374d108ff009cd8a56047a627ca96b8035623e41f2019e948bbdaccd19614a48b4f006cdb15a991ffc2d80e0e1fc

memory/4440-295-0x0000000007C90000-0x0000000007CA0000-memory.dmp

memory/720-317-0x00000000056F0000-0x0000000005766000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1fdf22111233daae27623f860a5a74b8
SHA1 5971f6817abb7f69189ac7a6c22cf1cac441370e
SHA256 7288c20a91fdab0949103526c6c0117a60b9d0d62cf2a5ab5598f31b8f1ce729
SHA512 cca33f31b3f12d8ccdc579f064946176c1c81c688490130da1f21bf4db4a7b776534eb6cabb4db0531a1cba4c81ac7cdc00286ff539daec5eab78e16a08e664b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 4a078fb8a7c67594a6c2aa724e2ac684
SHA1 92bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256 c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512 188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/548-331-0x00000000723A0000-0x0000000072B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1fdf22111233daae27623f860a5a74b8
SHA1 5971f6817abb7f69189ac7a6c22cf1cac441370e
SHA256 7288c20a91fdab0949103526c6c0117a60b9d0d62cf2a5ab5598f31b8f1ce729
SHA512 cca33f31b3f12d8ccdc579f064946176c1c81c688490130da1f21bf4db4a7b776534eb6cabb4db0531a1cba4c81ac7cdc00286ff539daec5eab78e16a08e664b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

memory/720-371-0x000000000A7A0000-0x000000000A7BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 83399dfeb578e60e9f89be1be18f5863
SHA1 590aa90fafd88a4f567c148d82f2e4900ab60cce
SHA256 1d189e3acdbabe40d17816672f873a5cc1ea820c4854c29a51708dd8cc0f772d
SHA512 0e4a636f18b60835a22a87ecd2acfd98d58540953b402192d517f5f0b6cd8f09fd2ccdd30e728b16ce1d156e88b36a6710cf69e2c05ebb01d810091fe3dd2ef8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597fd5.TMP

MD5 4dad6b0d61ccfe548c536e1ba40a137b
SHA1 da6d6345fbb668fd6d13a8bf40b046ecb803dab2
SHA256 985996f5dfe3d14563e0b2697f95ed9088ce0074fbe3d83b2277ef827e4c1365
SHA512 d70c60a5245911a6c8f5b395ede92b7f201ca3f7fc64996675f7cd95c9c8c7fb3de463a59a6fd5617b796e0898d39d7276995c1220ace97b015358490558bdad

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c1997c0e45c8b5e380845b8a6755111c
SHA1 23d9a05ef9079b0fb7f57ecac88b250a6218b774
SHA256 2261e77e7c7d37816c57f2817ac72fe14a6cc37f8b3dd9ab552aaabc001fba40
SHA512 68c50165936b6f1883aeeaff65a1816dca9f818a6a4d85969be0dd13cd0617b3a39cbcdcd55786aee02fae268968799bb673c47feaeef0dcc3eb102e8ee17111

C:\Users\Admin\AppData\Local\Temp\tmp9085.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/720-479-0x0000000005770000-0x00000000057C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9108.tmp

MD5 9bea288e5e9ccef093ddee3a5ab588f3
SHA1 02a72684263b4bcd2858f48b0a1aec5d636782e3
SHA256 a77cae820a99813a04bbcf7b80b7a56a03b8d53813b441ef7542e81dcdad3257
SHA512 68f9a928cabfc886131f047b0fe74ba67af5b1082083ae5543ba8b1b3189bdd02f15929736e6cc0c561a02915f29bf58bbc4022e6f823549344d9f14a3c2be07

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ab96401ea43155e36354abd249c816df
SHA1 ea8dc8bdff4624f04254a1675b430c7704e03e3d
SHA256 2f7748b5a4dd98b2c3a3c5010eae0661205572c8977ce345399535b3f30a4e62
SHA512 c778d7660ac66dd8c8ec46fa65ee9f07d30831d31367cd41685013eb153d5967dec6a8d7c6877feb7edc776ec1fd49074e81df01e827fda651f7e2425a5993b5

C:\Users\Admin\AppData\Local\Temp\tmp924D.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp9282.tmp

MD5 3ac5bdd5f46098c1e8d11b7cc6d2cf76
SHA1 9f9dbc4f3d185949971fd5eb1ad910c6b6722f2e
SHA256 c222ba83d234a78580cc0e8ccc8d5d955043692c6a3b326b11bcd39f04940f15
SHA512 a0af994b29e70b4f32f2d5d64648560bc0d165bc4f4d48c5a7f3128493def48ce448ae750f68ab9fe8b96609978a0a53bb8d74ceba432b27001f45b41e21f17c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 3ac5bdd5f46098c1e8d11b7cc6d2cf76
SHA1 9f9dbc4f3d185949971fd5eb1ad910c6b6722f2e
SHA256 c222ba83d234a78580cc0e8ccc8d5d955043692c6a3b326b11bcd39f04940f15
SHA512 a0af994b29e70b4f32f2d5d64648560bc0d165bc4f4d48c5a7f3128493def48ce448ae750f68ab9fe8b96609978a0a53bb8d74ceba432b27001f45b41e21f17c

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\tmp934F.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp938A.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/4528-611-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/4548-614-0x00000000723A0000-0x0000000072B50000-memory.dmp

memory/720-622-0x00000000723A0000-0x0000000072B50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 84b8477fc68f119a32a28712be55f942
SHA1 7818e6867841b7489c56feb6ed28ec8e31d1f4de
SHA256 892410d442f0c45db948ecc586ce92d2d395295ad871ebb5d06d0ea3c3704ece
SHA512 ebf442b3675d1b81677c71fdc9c9daad369fe51f50896831d8ce4a99b9ea1725251ef05f3e7e9cfd5ec7cc133a715dc723c8ab62ca3323fd9d3831226f35dfb4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 06f985b19be417ee7efe6953ec41b534
SHA1 6eec962158bff1da3a8a7800032c2aac89f5af43
SHA256 df390737a917677e5b8394fe3f177d364cbf090929ae30c7b42a95ed625129fb
SHA512 b436df5afa14b556cce430cc396687d26ba83a5fe426426bfc95570ec35a19c026b93cf625f8881ffa04496fd9d4ff8b9d1b9508583fdc85e19d560d8edb0b06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e603983295b3cd76b91f305f555d1b05
SHA1 f743cc7a2346571a90f7629b3a4bac0fb5279ff4
SHA256 03eaab4af42352f6b6790356e54dd5672cad232f5b34b3d182ef107d1326ef2f
SHA512 f585640cddcf096cc04e015a36e3ff11cce59abf45c51095336200dd6da5b608101aaed7a827921dafa3f5cfe5a638f8b92a22241848311eeeffe211683f4c2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 22606df9ebd7d3403961a387265b4fda
SHA1 6e1a5b720e090cd9a398ad70c57ef30b31fefdee
SHA256 0a4aee41d3ccafde227f83c0d3ff3911acc6f14f17c0510435a155cebe95cb00
SHA512 38cb7b1522eaf5707efc6b646e5fdf4fa4b7f91f1d20ef41c4d1b1ed256a0185756ca3b081246a1d3963a2d6611dd2c8944522d0137c1d7bb58c6bfe9bc6414a