Malware Analysis Report

2025-08-10 23:41

Sample ID 231011-zbptssdf48
Target 3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7
SHA256 3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7
Tags
amadey healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor dropper evasion infostealer persistence rat trojan dcrat breha kukish microsoft discovery phishing spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7

Threat Level: Known bad

The file 3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor dropper evasion infostealer persistence rat trojan dcrat breha kukish microsoft discovery phishing spyware stealer

SmokeLoader

Amadey

DcRat

SectopRAT

SectopRAT payload

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:32

Reported

2023-10-12 15:25

Platform

win7-20230831-en

Max time kernel

255s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2A7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E43D.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6EF9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E1DB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E43D.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 1244 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 2544 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\6EF9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 3012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1544 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe
PID 1244 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8383.exe
PID 1244 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8383.exe
PID 1244 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8383.exe
PID 1244 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8383.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 2800 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe
PID 3052 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8383.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8383.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8383.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8383.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe

"C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 52

C:\Users\Admin\AppData\Local\Temp\6EF9.exe

C:\Users\Admin\AppData\Local\Temp\6EF9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

C:\Users\Admin\AppData\Local\Temp\8383.exe

C:\Users\Admin\AppData\Local\Temp\8383.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 48

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 36

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

C:\Users\Admin\AppData\Local\Temp\E1DB.exe

C:\Users\Admin\AppData\Local\Temp\E1DB.exe

C:\Users\Admin\AppData\Local\Temp\E2A7.exe

C:\Users\Admin\AppData\Local\Temp\E2A7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\E43D.exe

C:\Users\Admin\AppData\Local\Temp\E43D.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 48

C:\Users\Admin\AppData\Local\Temp\E7D7.exe

C:\Users\Admin\AppData\Local\Temp\E7D7.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\B6E.exe

C:\Users\Admin\AppData\Local\Temp\B6E.exe

C:\Users\Admin\AppData\Local\Temp\1CAE.exe

C:\Users\Admin\AppData\Local\Temp\1CAE.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\7E6D.exe

C:\Users\Admin\AppData\Local\Temp\7E6D.exe

C:\Users\Admin\AppData\Local\Temp\9143.exe

C:\Users\Admin\AppData\Local\Temp\9143.exe

C:\Users\Admin\AppData\Local\Temp\B152.exe

C:\Users\Admin\AppData\Local\Temp\B152.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp

Files

memory/2920-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2920-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2920-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2920-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2920-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2920-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1244-5-0x0000000002C70000-0x0000000002C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6EF9.exe

MD5 17ca01af6078ab82d5be176302982cb2
SHA1 96785e9d0a7e7dc2af324eadb86d3468079fa16b
SHA256 d257a38ff652ab96cb06ffa273b6855fd6c3ad3656b4ff21886fd9bd5456843f
SHA512 18f98fc36eeb1f5fd0d866f6942ca1f1246e938f72a010e49c612b5da0de803ec98a165c2372491e491ad4a2208b4635a17cd6e8b01e534e53b61d9b88ca0611

C:\Users\Admin\AppData\Local\Temp\6EF9.exe

MD5 17ca01af6078ab82d5be176302982cb2
SHA1 96785e9d0a7e7dc2af324eadb86d3468079fa16b
SHA256 d257a38ff652ab96cb06ffa273b6855fd6c3ad3656b4ff21886fd9bd5456843f
SHA512 18f98fc36eeb1f5fd0d866f6942ca1f1246e938f72a010e49c612b5da0de803ec98a165c2372491e491ad4a2208b4635a17cd6e8b01e534e53b61d9b88ca0611

\Users\Admin\AppData\Local\Temp\6EF9.exe

MD5 17ca01af6078ab82d5be176302982cb2
SHA1 96785e9d0a7e7dc2af324eadb86d3468079fa16b
SHA256 d257a38ff652ab96cb06ffa273b6855fd6c3ad3656b4ff21886fd9bd5456843f
SHA512 18f98fc36eeb1f5fd0d866f6942ca1f1246e938f72a010e49c612b5da0de803ec98a165c2372491e491ad4a2208b4635a17cd6e8b01e534e53b61d9b88ca0611

\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QA6bV1dd.exe

MD5 0c82bbc1bc805e4d9bf9a9f2cd4f067e
SHA1 21b2e84ee072861223e992f20770b94b8e959bb6
SHA256 27d216599337c8b9d56993b6dfd6d278605ed628cc52672f8c65f572d855f19e
SHA512 6e573d83ce2823349d0090fe9b297d1d4ffc85d3db4929c3fe7723b4981ef855330b218a98baac065678029c39f586544dbdb934de1885b17dd22fbae966bd2d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT8yh8oG.exe

MD5 6857155b99707989771fca1b209e186f
SHA1 081817a5775ab2efe928173d65ab31faf1f43f72
SHA256 db4578b202faa46d24863b586adf2e4133d798d2011cf7c9fb933c6cb63876f8
SHA512 8c595b0ef48f46fe998d4b47b8a719b72b574756a13a5c097ae19670d4bd6e3bc3556e1c147c9ba0bb555ec1cf09c49e3eaa9412fd1eb1fdb13966d0a5491a6c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

C:\Users\Admin\AppData\Local\Temp\8383.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xu1pi0Sf.exe

MD5 51c1982f96f23b9e57219f3f44e32ad6
SHA1 7cbe55314d38f1564b95e2a4b2f048d69be98cac
SHA256 e660a476c3b19015e455d518e33e62e215e1b6ce9fb71becb5822fc23f2ac7d7
SHA512 cf13048e0bcc2d3e3b7e24b3a999f79832ed42a8b3bdc340682cbd731d07e491ca68ca9d3fee268f604d0256d0c657480646a79d9c357d08435d677722949344

C:\Users\Admin\AppData\Local\Temp\8383.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC2gm6Pk.exe

MD5 9921636ad77074a0b0fe78d26b668f2a
SHA1 99c81b61177f6ed7bf8fe9e421cbf1c65720850f
SHA256 ce9899f4bc291b16559b17c058f559e1622218d1b21c3f76d97f72d4cbaf1616
SHA512 10fab75980ed6feffedce49b5c62802490445517a1a2ac1ebe82964538edb333f0b1060e5e44e510cd64de7dd57d930896556daa4e392690b41ec0db61774c4d

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\8383.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\8383.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\8383.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\8383.exe

MD5 38588a9be364f7685683fbb9ae5701f6
SHA1 97bae3514fc8d1dc20189842e68d85e551bb7331
SHA256 2286a1d872bfc810f53f3c4fbba3949e51cc78269940a5295edd8c5c0e540f7f
SHA512 15bb4c16668318e16f8d22a4b7a823ddd791e51eb1929252086a211a1239f53063e21a361d38a68a4f57cf80b0440a6f456dbf8d555eccfaa8508f62fa292cc2

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hY16OL4.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\E1DB.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\E1DB.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\E2A7.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E2A7.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1272-102-0x0000000000280000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E43D.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\E43D.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\E7D7.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\E7D7.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 e12610895c55af37a681423a02bc3779
SHA1 0da39bbbe202e20ca2b9811ba2deeb0e4c716e98
SHA256 4961d435fb4ec3ed4c225b28be186abf3741232fd26c72c678a4e2fa46de90d7
SHA512 32ca855d25dac190bc93cb92a06987065cf8c3f5b9f9c79bf1146117e81fe28829065bb189714a90032d3583c8e7ce8f4d350a6c8617a8d8767993132a034036

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1600-133-0x00000000002E0000-0x000000000033A000-memory.dmp

memory/1272-137-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

memory/1600-138-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6E.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\B6E.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/860-145-0x0000000072E00000-0x00000000734EE000-memory.dmp

memory/1600-146-0x0000000072E00000-0x00000000734EE000-memory.dmp

memory/1272-147-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1CAE.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\E7D7.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/860-152-0x00000000000F0000-0x000000000010E000-memory.dmp

memory/2200-153-0x0000000000260000-0x00000000003B8000-memory.dmp

memory/2200-155-0x0000000000260000-0x00000000003B8000-memory.dmp

memory/2188-156-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2188-158-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2188-162-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2200-164-0x0000000000260000-0x00000000003B8000-memory.dmp

memory/2188-166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2188-167-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E6D.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\7E6D.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/860-173-0x0000000072E00000-0x00000000734EE000-memory.dmp

memory/1600-174-0x0000000072E00000-0x00000000734EE000-memory.dmp

memory/2032-175-0x00000000002D0000-0x000000000032A000-memory.dmp

memory/2188-177-0x0000000072E00000-0x00000000734EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9143.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\9143.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2692-183-0x0000000072E00000-0x00000000734EE000-memory.dmp

memory/2692-182-0x00000000009A0000-0x00000000009FA000-memory.dmp

memory/1600-185-0x0000000007040000-0x0000000007080000-memory.dmp

memory/2692-186-0x0000000007290000-0x00000000072D0000-memory.dmp

memory/2188-187-0x00000000074B0000-0x00000000074F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\B152.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

C:\Users\Admin\AppData\Local\Temp\B152.exe

MD5 e3a0ff312c3029c1480260fc19f7b77d
SHA1 100c3cf664fdebb86df0c85066aedc8cdc149ac2
SHA256 bf245cd3986b9e802e90ed22225eb53720dc4961dfb4f9c00c8aca3dabf703bc
SHA512 318a7072111a579d90fc45b41303294dcf3fd1b94c1ed101375fa3dc74b2950363ea20dd2a10b8a8f1cc3319afbf8efaa7407223c887c2627dfd74e701c31d90

memory/2188-193-0x0000000072E00000-0x00000000734EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:32

Reported

2023-10-12 15:23

Platform

win10v2004-20230915-en

Max time kernel

158s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\B853.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\B853.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\B853.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\B853.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\B853.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\B853.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BA57.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BC7B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\B853.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\B0CD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B853.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7B.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1316 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1316 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1316 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1316 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1316 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe
PID 3180 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe
PID 3180 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe
PID 3180 wrote to memory of 984 N/A N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe
PID 3180 wrote to memory of 984 N/A N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe
PID 3180 wrote to memory of 984 N/A N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe
PID 3180 wrote to memory of 3944 N/A N/A C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 3944 N/A N/A C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 1116 N/A N/A C:\Users\Admin\AppData\Local\Temp\B60F.exe
PID 3180 wrote to memory of 1116 N/A N/A C:\Users\Admin\AppData\Local\Temp\B60F.exe
PID 3180 wrote to memory of 1116 N/A N/A C:\Users\Admin\AppData\Local\Temp\B60F.exe
PID 3180 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\Temp\B853.exe
PID 3180 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\Temp\B853.exe
PID 3180 wrote to memory of 3600 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA57.exe
PID 3180 wrote to memory of 3600 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA57.exe
PID 3180 wrote to memory of 3600 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA57.exe
PID 3180 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7B.exe
PID 3180 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7B.exe
PID 3180 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7B.exe
PID 3180 wrote to memory of 3036 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE80.exe
PID 3180 wrote to memory of 3036 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE80.exe
PID 3180 wrote to memory of 3036 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE80.exe
PID 3180 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF7B.exe
PID 3180 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF7B.exe
PID 3180 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF7B.exe
PID 3944 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3944 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3180 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4BB.exe
PID 3180 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4BB.exe
PID 3180 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4BB.exe
PID 3404 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 3404 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 3404 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 3180 wrote to memory of 3340 N/A N/A C:\Users\Admin\AppData\Local\Temp\C895.exe
PID 3180 wrote to memory of 3340 N/A N/A C:\Users\Admin\AppData\Local\Temp\C895.exe
PID 3180 wrote to memory of 3340 N/A N/A C:\Users\Admin\AppData\Local\Temp\C895.exe
PID 2816 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2816 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2816 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 4216 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 4216 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 4216 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 3180 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBB3.exe
PID 3180 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBB3.exe
PID 3180 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBB3.exe
PID 3748 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 3748 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 3748 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 3768 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 3768 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 3768 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 4568 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4568 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 984 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 984 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 984 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 984 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\B35E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe

"C:\Users\Admin\AppData\Local\Temp\3ca6ea3f4621da7fb952771589a37b2cb61a67c60b0662efbd3f52c12456a9d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1316 -ip 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 260

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

C:\Users\Admin\AppData\Local\Temp\B35E.exe

C:\Users\Admin\AppData\Local\Temp\B35E.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B497.bat" "

C:\Users\Admin\AppData\Local\Temp\B60F.exe

C:\Users\Admin\AppData\Local\Temp\B60F.exe

C:\Users\Admin\AppData\Local\Temp\B853.exe

C:\Users\Admin\AppData\Local\Temp\B853.exe

C:\Users\Admin\AppData\Local\Temp\BA57.exe

C:\Users\Admin\AppData\Local\Temp\BA57.exe

C:\Users\Admin\AppData\Local\Temp\BC7B.exe

C:\Users\Admin\AppData\Local\Temp\BC7B.exe

C:\Users\Admin\AppData\Local\Temp\BE80.exe

C:\Users\Admin\AppData\Local\Temp\BE80.exe

C:\Users\Admin\AppData\Local\Temp\BF7B.exe

C:\Users\Admin\AppData\Local\Temp\BF7B.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\C4BB.exe

C:\Users\Admin\AppData\Local\Temp\C4BB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

C:\Users\Admin\AppData\Local\Temp\C895.exe

C:\Users\Admin\AppData\Local\Temp\C895.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

C:\Users\Admin\AppData\Local\Temp\CBB3.exe

C:\Users\Admin\AppData\Local\Temp\CBB3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc76ed46f8,0x7ffc76ed4708,0x7ffc76ed4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 984 -ip 984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\DF4B.exe

C:\Users\Admin\AppData\Local\Temp\DF4B.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc76ed46f8,0x7ffc76ed4708,0x7ffc76ed4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,14490413045284455398,15012769926605526800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3792 -ip 3792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=BE80.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc76ed46f8,0x7ffc76ed4708,0x7ffc76ed4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=BE80.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc76ed46f8,0x7ffc76ed4708,0x7ffc76ed4718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8226597826180069461,6431780440521697385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 84.53.175.81:443 mdec.nelreports.net tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 52.210.141.111:443 mscom.demdex.net tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 111.141.210.52.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
IT 185.196.9.65:80 tcp
BG 171.22.28.202:16706 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 202.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
NL 52.178.17.2:443 browser.events.data.microsoft.com tcp
NL 52.178.17.2:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/504-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/504-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/504-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/504-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-3-0x00000000011D0000-0x00000000011E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

C:\Users\Admin\AppData\Local\Temp\B35E.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\B35E.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\B497.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\B60F.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

C:\Users\Admin\AppData\Local\Temp\B853.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\B853.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\B60F.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

memory/1488-31-0x0000000000B10000-0x0000000000B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA57.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\BA57.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\BC7B.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\BC7B.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\BE80.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\BE80.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/1488-53-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF7B.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/3036-56-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

memory/3416-59-0x0000000000B30000-0x0000000000C88000-memory.dmp

memory/3036-62-0x00000000020C0000-0x000000000211A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF7B.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\C4BB.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\C895.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\C4BB.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

C:\Users\Admin\AppData\Local\Temp\CBB3.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\CBB3.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\C895.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

memory/3340-102-0x00000000005D0000-0x000000000062A000-memory.dmp

memory/3340-101-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

memory/2056-108-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4564-109-0x0000000073000000-0x00000000737B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

memory/3340-111-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/3416-113-0x0000000000B30000-0x0000000000C88000-memory.dmp

memory/2204-114-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2204-115-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2204-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2056-117-0x0000000000C00000-0x0000000000C5A000-memory.dmp

memory/4564-119-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

memory/1488-120-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

memory/2204-121-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4548-123-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF4B.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/1488-135-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

memory/3416-137-0x0000000000B30000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/3340-139-0x0000000006ED0000-0x0000000007474000-memory.dmp

memory/4548-138-0x0000000073000000-0x00000000737B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3340-150-0x00000000074C0000-0x0000000007552000-memory.dmp

memory/4448-151-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4448-152-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/2056-162-0x0000000073000000-0x00000000737B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_5076_OOEOVJPUJKMDRSFC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2204-176-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c660551c56c291c0c30ab1d465d714fc
SHA1 2aebedead80aa99f456746a5f9a2a7d62f78a2eb
SHA256 5c50c91a8a7ed20fa70176d2854d8a34c61845b8ed931ff67e074861ed76184b
SHA512 aace4c77cd916a0878d4ae9740516d8e2263f8d4a056c844241027f178220c1b623d521321097c1ff057aaad0853eb67cbadce4dac6b7d05956173658503d30e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 42a1719e509b7bf16ff3789db6024a00
SHA1 12437a8519ee344ba76664cce838031f1c56303b
SHA256 49575e995b4a8c051c17508d9a565e8b5264513ff68392030eb6f0dbd3a2f9b3
SHA512 fca9a55145c66042bf936b54ad85257c9437ab0ae8a460d4c1249d43d45fbb1939631214c5d063ed021e2730c8803a4cd6494305003a91e77f7664ac154125b4

memory/4564-186-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/1096-210-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3340-213-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/1096-211-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1096-215-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4564-214-0x0000000005CE0000-0x00000000062F8000-memory.dmp

\??\pipe\LOCAL\crashpad_4568_FNBPZCJQCLQXNWHP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4564-221-0x00000000056C0000-0x00000000056D2000-memory.dmp

memory/2284-222-0x00007FF6C0A80000-0x00007FF6C0D7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4448-238-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/4548-239-0x0000000007DC0000-0x0000000007DD0000-memory.dmp

memory/4564-237-0x0000000005720000-0x000000000575C000-memory.dmp

memory/4628-241-0x0000000000EF0000-0x0000000000F23000-memory.dmp

memory/4628-240-0x0000000000EF0000-0x0000000000F23000-memory.dmp

memory/4628-242-0x0000000000EF0000-0x0000000000F23000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5deffc26d5f74bb83532f3535761040f
SHA1 ab53d9b9015b2cbd372702741825b101f13ccc88
SHA256 afa8bfc9afeab3079b865b47c034539ceb141b2b9afe81ef44dd0b86d6325c31
SHA512 fe91c015da6f7de3082584e81538de232464be9bc48e9d06abdcc9b9264b8ce410c4e1fc90066d872e5336185db9f277e586d46537e70856152d0417a218b41d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c660551c56c291c0c30ab1d465d714fc
SHA1 2aebedead80aa99f456746a5f9a2a7d62f78a2eb
SHA256 5c50c91a8a7ed20fa70176d2854d8a34c61845b8ed931ff67e074861ed76184b
SHA512 aace4c77cd916a0878d4ae9740516d8e2263f8d4a056c844241027f178220c1b623d521321097c1ff057aaad0853eb67cbadce4dac6b7d05956173658503d30e

memory/2284-243-0x00007FF6C0A80000-0x00007FF6C0D7F000-memory.dmp

memory/2056-250-0x0000000007CF0000-0x0000000007D00000-memory.dmp

memory/4628-252-0x0000000000EF0000-0x0000000000F23000-memory.dmp

memory/3340-251-0x0000000007730000-0x0000000007740000-memory.dmp

memory/4548-253-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4628-254-0x0000000000EF0000-0x0000000000F23000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

MD5 9ccdae3be00be1a888c9695799839b7a
SHA1 14a49b29dfeae99c0793ed90c3379b25833b19eb
SHA256 bedefe96e193fa08f0b55213b98434a620c3ae0fd745326feb00d3741c0624bd
SHA512 296025c442880d4f0502b8735619548ff8969cdffa10b2dabcb26b30c69f2f2a7fb1ccb1f006e8acd98f041e9bf9578b03d077921da5fc46795f6409938f1dd5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

MD5 9ccdae3be00be1a888c9695799839b7a
SHA1 14a49b29dfeae99c0793ed90c3379b25833b19eb
SHA256 bedefe96e193fa08f0b55213b98434a620c3ae0fd745326feb00d3741c0624bd
SHA512 296025c442880d4f0502b8735619548ff8969cdffa10b2dabcb26b30c69f2f2a7fb1ccb1f006e8acd98f041e9bf9578b03d077921da5fc46795f6409938f1dd5

memory/5428-263-0x0000000000F20000-0x0000000000F5E000-memory.dmp

memory/4448-264-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/5428-265-0x0000000073000000-0x00000000737B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c339867ba29c73dd42499daaedab0247
SHA1 c6166702857675c4f54ac1bf246cbf50eafb95c3
SHA256 e6361735c224b4a792bbac899a25d22d84cd12090efe3aa77a68b663b6a0a3d3
SHA512 d2dfa93f9fdd648a476a27c01be65b7f76989f2c293ddd7d8139cdea2edf72dc86aa413d539931e5c7215caacf580534e2304107233caf7c242a373f82a51fcb

memory/5428-275-0x0000000007E90000-0x0000000007EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/4548-301-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

memory/4564-315-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/4448-319-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/2056-321-0x0000000007CF0000-0x0000000007D00000-memory.dmp

memory/4548-320-0x0000000007DC0000-0x0000000007DD0000-memory.dmp

memory/3340-322-0x0000000007730000-0x0000000007740000-memory.dmp

memory/4564-354-0x0000000005760000-0x00000000057AC000-memory.dmp

memory/5428-366-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/2056-367-0x0000000008600000-0x000000000870A000-memory.dmp

memory/5428-387-0x0000000007E90000-0x0000000007EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4aced29399cd60d8422333d2ce88d1f9
SHA1 89a46c1f9785160cdb70985a042c70ac52bd577d
SHA256 47b3a1e38cb3c8f71e9da779cca50b9af12fe3c229c2cbc90c2f766f50206571
SHA512 6e1a95afdc59cc0cf041bb41d0826621eea022a1ad0a4aed0335db2a893d54052ea5dbef51bfc565951faeb8a814779d30587c9297b944e5ce360367e17e84f8

memory/4564-407-0x00000000056B0000-0x00000000056C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5968b3.TMP

MD5 9ccf452c4a85940b5e07241a7b7afe75
SHA1 30cd8ade847dd17679647d308b782f65daebf44c
SHA256 6a0c32e354a0621b1b28b3f60be7d4f36536ec815ed097af473bad7787c1bc09
SHA512 9ccf8c549003d65cdb6a94502e541075323758c434f11eed2bb4890ea8b647ddcbf64f7d9c19fe9f9534ec9e9252bc555f4bd8fa6b78e136d8b56fb4358ff842

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6a374fa3443eacce191f7633bcc668d8
SHA1 4a2b70efe9ed30465d0a03685a5f532d88dd88f1
SHA256 8d614c30a4a2806426a0f6e52b22b81c39ff4ea91bf9df034207472e8d910379
SHA512 1b717234b4064268a33ca95e63a1202795011d54f2d15929f77441c4f7d9df71bc537e96111fda5204c76b2077ec7a62c0363fc206416afaa8c538cb31726e99

memory/3340-434-0x0000000008380000-0x00000000083E6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6ddb6132f72175de69885960cfbad0c7
SHA1 0b4429e2d39900d24f076f2473ca5201957059ad
SHA256 8b928b75cef20c0da268eb6720349c13f554e2491e0183c9a27e1bee53323da1
SHA512 ee40244e6cf5c2b7e2b33078795c54bd4235e41df681144b3b539d859b6a2e8a843c1c8112523cc8d21e135e77b8a7d90ccafdf68834f364288ca22267bac156

memory/3340-458-0x0000000008B00000-0x0000000008B76000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9ae515f66e15a4331bbb590342a7e70e
SHA1 9fa6f3e90a480a075bdef34f3fcbcad02e7a692e
SHA256 aaeb6e6c62623790adfb80043fc35e23b38791c4cef426801cdfb697d6288555
SHA512 d0ded03bd2ba38d5e41fbe301a2d974c40a1eea24ea490cf017b7ab7b7ee9428c36f967445326c977fa54b260df98a6235f800c756de31cbbb53f9859b2d0d75

memory/4564-468-0x0000000006CA0000-0x0000000006E62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4564-471-0x00000000073A0000-0x00000000078CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpABD0.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/2056-511-0x0000000005140000-0x000000000515E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB125.tmp

MD5 5b39e7698deffeb690fbd206e7640238
SHA1 327f6e6b5d84a0285eefe9914a067e9b51251863
SHA256 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8
SHA512 f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 64da881afe322535171bfc36d5bb3efe
SHA1 49b9c59dbd7bccd63f03ef99fd768808bc5bdde3
SHA256 f64aa79bf52627561ba1446f3cf1d6dada90855a122fabe35bdfe8e70b903ff6
SHA512 75ba833e2c04e09ac88a6d346a27110ff025c2c6c0e7c966caab0bfbc75701abaac994e15ede6df76d6c80f251f5b75caf6326f8d8c4d8e62fc33d0549aa7f2b

C:\Users\Admin\AppData\Local\Temp\tmpB383.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpB389.tmp

MD5 d6ee90d804c9c2a4e5eaeacd5384aae6
SHA1 edba2fe66aec43fead351eff0937f1e70583f7ed
SHA256 d8a9938aa014ed8e811fd4dcc18ca76991ff63876f471f5acbccc70ccfefb444
SHA512 b39944c64a88b24290b84ba490f07f98ed0c77c49bc2c29ec7fb7abbdecbba1b31db8a30c3a8443b8c3dc4c3d661e503a210a9ae33641783a5782f6537d9e1b5

memory/4564-597-0x0000000007120000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB7FF.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpB82B.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8ce82fe7e1d3b55ab51f53b5a441b6bb
SHA1 eb11b35fb93c7607990a91f2a4ec1d157e4a173d
SHA256 e5c20a2179019574a15fdf7fdf9a9a582ba49c78d4824abca10682f18696dae8
SHA512 7599c169f9a4cbe7996d166ffe8f32a78507967bd0c77ce02b16cc12b891da4543eb32353e4e614997dce4e0b316720ae651349dd1bedca0b107bfc47a9db9f7

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/3340-670-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/2056-672-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4548-676-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4564-675-0x0000000073000000-0x00000000737B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3fc5d6c7a30ff4760f1490d13bc974b3
SHA1 34118dfa234573c9ac2e30e2256a4d29cf83c763
SHA256 99ff5a2f40836c4ea07805f8c4cf191eadd29156ab2385fc1a12a833c3dee6cf
SHA512 162e3c9d1bee0ac4c8684146726cab8a5e3709d3c66e1f33cc9099ee481045b7f38aa0046869a31573461217a9c8173ca627797955030f6bcfa383ca09af097c