Malware Analysis Report

2025-08-10 23:43

Sample ID 231011-zbveaadf59
Target acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18
SHA256 acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18
Tags
amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18

Threat Level: Known bad

The file acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing

Detects Healer an antivirus disabler dropper

SectopRAT payload

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

DcRat

Amadey

SmokeLoader

SectopRAT

RedLine

Downloads MZ/PE file

Windows security modification

Uses the VBS compiler for execution

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Program crash

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Creates scheduled task(s)

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:33

Reported

2023-10-12 15:22

Platform

win7-20230831-en

Max time kernel

152s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\247.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8E.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D421.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000210b1cb9c51492b056749f1d06f65c88caa703b0e04c497354fb4605c7b483b5000000000e8000000002000020000000b5f4c3d520d74d3baa26e94f145d772760151025dcf3c59720b6c2678691218220000000ebd59edaed3594ef0d58a4452919e614f2e6d14f00aa006b2057cb1766900fef40000000f054deb6e0e1c998687452a2b204c625568c79c77539004f7451af331ff7f39c8fc2d235784531d48ffb83838f7ce1eb5cee8455f5fc345ba490b8cc7abdcb9c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3C86141-6912-11EE-A2C0-EEDB236BE57B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800933d71ffdd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403285913" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000009bbcab6fd6372d2d584660c244cbef336d3c6d70d5710c472349f93531f2d468000000000e8000000002000020000000ae7bfb8a0af9eba55dab9eb46ea4d59b290a7cafd5a3d39f8926b9f3c9ab2dd7900000007e3ee8890954f82d73626cf91e613316ea9726589482c91ee19415fa9f7427e3991c2be5afc0b3f37dbca3e3d8bc6e70c4ba843b60b24c12618d88e66eee97306f958ea0df9749a19b33eaf13bf41291c296a8c8810a174b898c311b8f62bf7d9e0b9d7d622541ee667fc044ab350b3568b1d4b6b1bda04e89079030ea605f59b49b45d315bb63c59bb5579ade938f70400000007aacef48cfc97ac1bffb4d516e656ca4c65451e634f7c904d8e8eee43d85a1052472d405a83f2cf72cddcf31a2bfdcd00adcf0f9890cd8a445a187825b2336dc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\2786.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\2786.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F99F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2786.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6D01.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1D19.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5DD3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8E.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\SysWOW64\WerFault.exe
PID 1576 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\SysWOW64\WerFault.exe
PID 1576 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\SysWOW64\WerFault.exe
PID 1576 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\SysWOW64\WerFault.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\D421.exe
PID 1364 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\E39C.exe
PID 1364 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\E39C.exe
PID 1364 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\E39C.exe
PID 1364 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\E39C.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 2772 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\D421.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 1364 wrote to memory of 2612 N/A N/A C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 2612 N/A N/A C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 2612 N/A N/A C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 2548 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 1364 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB3.exe
PID 1364 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB3.exe
PID 1364 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB3.exe
PID 1364 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB3.exe
PID 2768 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 2768 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 2768 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 2768 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe

"C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 52

C:\Users\Admin\AppData\Local\Temp\D421.exe

C:\Users\Admin\AppData\Local\Temp\D421.exe

C:\Users\Admin\AppData\Local\Temp\E39C.exe

C:\Users\Admin\AppData\Local\Temp\E39C.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E4F4.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

C:\Users\Admin\AppData\Local\Temp\ECB3.exe

C:\Users\Admin\AppData\Local\Temp\ECB3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\F99F.exe

C:\Users\Admin\AppData\Local\Temp\F99F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 48

C:\Users\Admin\AppData\Local\Temp\247.exe

C:\Users\Admin\AppData\Local\Temp\247.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 48

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 36

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\D8E.exe

C:\Users\Admin\AppData\Local\Temp\D8E.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1D19.exe

C:\Users\Admin\AppData\Local\Temp\1D19.exe

C:\Users\Admin\AppData\Local\Temp\2786.exe

C:\Users\Admin\AppData\Local\Temp\2786.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\39EE.exe

C:\Users\Admin\AppData\Local\Temp\39EE.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\5DD3.exe

C:\Users\Admin\AppData\Local\Temp\5DD3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\6D01.exe

C:\Users\Admin\AppData\Local\Temp\6D01.exe

C:\Users\Admin\AppData\Local\Temp\88EB.exe

C:\Users\Admin\AppData\Local\Temp\88EB.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {8F8794DD-52EB-422B-9D39-24D801A57B7B} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
MD 176.123.9.142:37637 tcp
BG 171.22.28.202:16706 tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 104.26.13.31:443 api.ip.sb tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2028-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2028-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1364-5-0x0000000002630000-0x0000000002646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D421.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

C:\Users\Admin\AppData\Local\Temp\D421.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

\Users\Admin\AppData\Local\Temp\D421.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

C:\Users\Admin\AppData\Local\Temp\E39C.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\E39C.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

C:\Users\Admin\AppData\Local\Temp\E4F4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\E4F4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

C:\Users\Admin\AppData\Local\Temp\ECB3.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\ECB3.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\F99F.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\F99F.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\E39C.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\E39C.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\E39C.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

\Users\Admin\AppData\Local\Temp\E39C.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\247.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\247.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\ECB3.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

\Users\Admin\AppData\Local\Temp\ECB3.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

\Users\Admin\AppData\Local\Temp\ECB3.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

\Users\Admin\AppData\Local\Temp\ECB3.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\D8E.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1204-169-0x0000000000F40000-0x0000000000F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D19.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\1D19.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\D8E.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\2786.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2180-185-0x0000000000470000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\2786.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\39EE.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\5DD3.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\5DD3.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/3016-206-0x0000000000230000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D01.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/1940-213-0x0000000000320000-0x000000000035E000-memory.dmp

memory/1940-215-0x0000000000320000-0x000000000035E000-memory.dmp

memory/1940-219-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1940-223-0x0000000000320000-0x000000000035E000-memory.dmp

memory/1940-224-0x0000000000320000-0x000000000035E000-memory.dmp

memory/2596-222-0x00000000008A0000-0x00000000009F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D01.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\88EB.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

\Users\Admin\AppData\Local\Temp\88EB.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/1204-230-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA18F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2180-245-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D19.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

memory/2852-247-0x00000000002C0000-0x00000000002DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5DD3.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/1156-249-0x00000000009B0000-0x0000000000A0A000-memory.dmp

memory/3016-250-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/3016-251-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2180-252-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/1940-253-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/1156-254-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/2852-255-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/1940-256-0x00000000076F0000-0x0000000007730000-memory.dmp

memory/3016-257-0x00000000072A0000-0x00000000072E0000-memory.dmp

memory/1156-258-0x00000000072D0000-0x0000000007310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarB0FC.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b78aafa3ed686750b65d5bbe25a9b5
SHA1 5ec7dce54187a86c14b3bab8cb0736feeef7c030
SHA256 c8ba2aa0e830b9c3f82aebb8aa4de3e19e3931210907da48167d84c7098fb76c
SHA512 eae9c2a1a2320e7b35b76ff0a9a727eef560d7e9ce5d95f597326d3cfd1d085efa584e8d733cbccf72f4c4ea6025a770864ffcb04478d6ebac8888f7b508bc18

memory/2852-315-0x00000000049C0000-0x0000000004A00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPR9MST4\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\iehkyjx\imagestore.dat

MD5 b0d65acb21da5c2951c6257d2916fbcc
SHA1 b4e2cca25584d739d1b0929dc7ee8405118a35ba
SHA256 719251b17e4c0c1c3cf42ccb847a20f25e21a43318bb826fad780ba8c8bae1e0
SHA512 daef7b45a0428be80443cc8de6c7c9bb3bf53249e6b11d6b45cf3082a0bc663c19699f710ec4923c8bfc2913722671645281d7159c2ac2b031e8d8a5b7af92f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4701010f7017c95c5aa572ce745a3c76
SHA1 b286d691654072f1232bc35accd8d553a76c5cf7
SHA256 056b37adc67ffdb2e07997bc77fba8017f4c70a5c3c8469faa4ea5f416cef88e
SHA512 f204f8c4a8daa1aae308dc0169f42bdffbc0b5494085bb4a8d40018419caa8d4682a4075785f070a67c4f68fabe94d65f7a1db2d59331775394e5ba5b42a823a

memory/2776-518-0x000000013F0D0000-0x000000013F3CF000-memory.dmp

memory/1204-519-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

memory/1684-520-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/1684-522-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/1684-523-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1684-526-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/2776-525-0x000000013F0D0000-0x000000013F3CF000-memory.dmp

memory/3016-527-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/2180-529-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/1684-528-0x0000000000080000-0x00000000000B3000-memory.dmp

memory/1940-530-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/1156-531-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/2852-532-0x0000000070E60000-0x000000007154E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10b0533ca97ab2d03d5aaeb70f49044d
SHA1 d758d127cc91cfbefe50bbd7e4ecf27c4ed4d26c
SHA256 5d9387808e376d3b9a3afb7ac224a6f43948704fb00c8cbbb985985ff9345e0a
SHA512 99b0247e477be6bb37dfd0e6ec4d7f78cefc676d119fb26f014c7c43384d18f2fbaa287557a88075b71b85647c046e055005c9cfaea465dff04c554985b72eb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10b0533ca97ab2d03d5aaeb70f49044d
SHA1 d758d127cc91cfbefe50bbd7e4ecf27c4ed4d26c
SHA256 5d9387808e376d3b9a3afb7ac224a6f43948704fb00c8cbbb985985ff9345e0a
SHA512 99b0247e477be6bb37dfd0e6ec4d7f78cefc676d119fb26f014c7c43384d18f2fbaa287557a88075b71b85647c046e055005c9cfaea465dff04c554985b72eb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ded8560a20c21c82be864b296f600fa
SHA1 e01710ce5ba7d965e87fd797354661708796795d
SHA256 1418e261526fe89243c0691cb3bd3098a8699134a99a260fec3f8d9f0477899c
SHA512 ddcc1134d8186781152921d3ffe1a94b6e6ee85f951078dc7cfe2c837c50ce485d01253adb2a40af9f4752343c5e04f5cce4e51ecd175b42c567d9de3b5a0565

memory/1940-686-0x00000000076F0000-0x0000000007730000-memory.dmp

memory/1204-706-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f775af32991d6f1b3bed5ec2968c085
SHA1 c2f75be8862bfb356618c5615623b14af75304e9
SHA256 b1bc2f0863e2976773f6799f08100e28ce58d0866efc7f1d62bfa99d0a9bf85b
SHA512 e8e2f4baddc55b7a9f2582ed41fd78c7a93a02a588020018c5b4bd44a9e994b97241d45eff6fe57872940d12c9e51184a2ccb3c4d3ddc3bdf640105c3bb4eb5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efcdf096951d0998c055482eeafe3e6d
SHA1 b6d72ebdae71ba7a4bc72bd8dfec20c5f7c0349d
SHA256 c7fa032d44c555bb5405f5c63373dcbfb3061c457115eb1b0209d904dd2e714c
SHA512 95d922686fb49190fa28b4b21b88ef32e5e504e42a32510645126c83ecf302369a7df6d586813b7235b9234f7f2801ee7eb5674eb9e0047388d320b223ca9512

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e246e06a94dc7b0dd1cec5685cd4c91
SHA1 76de383437aabf469b5e5ecf038625ea7fb032f6
SHA256 5868c5af93c1b6e94f8ebeae7743a1db3ae19b8d0bb77c5df9b102ac1a3e4844
SHA512 1d524d9d5004f9ee395f3bebd9b1bc3c4ebe4f6e4bd9a6c9a17295bf6102d91d87a4283ba18d78591856587f0ae8e7e29cffa1e5ccdcb09237b7d45bc38de7ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 282fd140befc33fefbe962d625cdd3bb
SHA1 282b98ab67304eabea8991bf52340de41b8c9f4c
SHA256 23d840108c7e92a58039a51a68761d8358a0585e0ede84f4f053cda5e1ce3565
SHA512 faebda302ecba59e09b1c38182aac5d359aff118b9645c3a012df455d3eb9835f32c5a7cab495b3d7445ab3b7e772af5b07a5d43f07e74a7f013c98fee3640be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5f47edc7494bbe9dec065d66a68d613
SHA1 cf8063cb615651e32815f217f26a7e617761f291
SHA256 af994468098baa5e3184768bc6d78e95dfbe1b54fadbe44618c4969b38659c33
SHA512 09b037db357a7938eebc140deef1864a0f019ef643b0890cc6340a404cbec4253c2267dc60e75da02d887da3b94dcd2b8c15592703022c53dbe99b46b8cd08a2

memory/2852-868-0x00000000049C0000-0x0000000004A00000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ceaceb06af5a5b21fd28d25cfc51b507
SHA1 0a865b789b5dfb7328af560bc957fe0fd09bffb1
SHA256 f6a66d1da7d6a9a7089c14bf28ed1292d9020d558ca83e49d1a2533bacbfa0e4
SHA512 c6f73c71b39360f42c89d24e5fd9f1dae3e3a58701f837d621fa8902eeda3f5ce93568e297139cfd9349055a6ba8c0d63598f0d6e635f064069a88bd6dc31f09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d05ad861e1eaae3327654bef3b305ae
SHA1 d99cb33dfae795d023394299fb3510e7fb96affb
SHA256 2b670ac9f6faa1389191ef710ef532ab8a9fc13767a220e3cd2a915a920ce1d8
SHA512 7f3079f80daaa02b0c19fb33014f4528c97b6e87a10eaba81b114fe058f462d4cee455fdade262c67039a43e59f6d980baeb423e928a8b9a73dc31faa53e7098

C:\Users\Admin\AppData\Local\Temp\tmpE952.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpEAAF.tmp

MD5 9c3d41e4722dcc865c20255a59633821
SHA1 f3d6bb35f00f830a21d442a69bc5d30075e0c09b
SHA256 8a9827a58c3989200107213c7a8f6bc8074b6bd0db04b7f808bd123d2901972d
SHA512 55f0e7f0b42b21a0f27ef85366ccc5aa2b11efaad3fddb5de56207e8a17ee7077e7d38bde61ab53b96fae87c1843b57c3f79846ece076a5ab128a804951a3e14

memory/1156-1105-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/3016-1104-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/2180-1103-0x0000000070E60000-0x000000007154E000-memory.dmp

memory/2852-1122-0x0000000070E60000-0x000000007154E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7faec45701060bc9184f55efa0404ee
SHA1 5439e64fcb8ef50a5182b4e1e2c2f00e6df67583
SHA256 c346d6eff8b470cb7279429bfda2ac47aecb82b6c97f5b923b44ef219954aff0
SHA512 36ea43b8ef20bbf6b3c153c58dcde78a430a74e020544e75cded81bd75fd565f34e42f215f838ca49ef58e104701011d072c61d7a08d8baf7d614bfebbb95139

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90f436aa306193f8a1c618ca1c4a8f5e
SHA1 5afca94db677ce8e46e558ce8e679df03298f50e
SHA256 63717e43eb7422f4170994896d1d708c12f34876d41f59fbb898972c4d7a064f
SHA512 114ac0e48c7859fee96267ef1e4a308d4c69bab056491cb24041e651e36b91f2dd02e4145ff5f19db070ac00e0c5765904cf8413c72c2b5a07eb692fca539796

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9b8d1e3c31d4d41da3ad73d6653e6eb
SHA1 e5797ede3564cf6e56ab5455a0db8eeb1a37241f
SHA256 a4e70bae6b53dba4da02f201aaac065764133dee203f660d1256bd5c390136b4
SHA512 176b7483fedd5e868172f333441a7be90ad0483b574fb5e3e48c7a96c73db6ee3713ddf9e26b4f4c9bb4b3715f1b20fb45a3fa36f68754456b940902710e8385

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5aeba1ee3fd599523ac5288f0fd52441
SHA1 999e32f7e2badc83c2a85202e98a48b8bd11f918
SHA256 5f899b7856aeed6c2fe58408b93ed59175384affbdb8919a21b79fbff23ba940
SHA512 212ba2f0f1255ede1639f65f3d616b47c27b8f236eb402017bcdd493b3c53e648d8f2d61804f2382e41a765aa3d62fa5bff3580b6056201cafb2e20c9d517f54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7a8f94431445a057e022d395b14a564
SHA1 223fa26ba3d67c75e8094d256dec18510566b846
SHA256 d3785cd5418fad1f068df69a602a5d0654301dc0452edbbd0c99d4d68ac7b0e5
SHA512 7fd5d9cba617f5e5c288854441c81380fd5985ee64347c3a73678fa11c20ee9eb50df3aadc869f2c5f28ee63e5424a389e3d904330d869c6359d4a305c0129d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0186b553abe8e0cceecf9690a634a7bc
SHA1 112692397bb103fd76193ca2d0b7a9ab3fc1f4a7
SHA256 3593fcbeaaaaf8c61e08377020976ef7c53384956609f8c676a113ae7bf995e8
SHA512 9dcc9df54be646a824d22730210e051f27c09bb36ae1c59b3925f76a314b87dbb7901ae64c9bee373dc2be5eaa748f7642b9c0d33a12901eb0b8bfd3c8d09b23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a331e342ad60770fb1ebadb0a360a096
SHA1 7c8f9a453f4df4aa355e976e2501d857b580b42d
SHA256 9da4ff2f2bbb88971092bb229fa653a9b2428e4d7e26ab880864beaf31c0b98c
SHA512 a51e269bf44bb06f318ff78ae9c68de19a0d3f435038e7443045b6f5419172b6cc757abdb21adef0c363345f690a4838ec70dbdb62cc8512c0a5acd410e2f7da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aeebf4a095ce11f2f602440becfd5b0f
SHA1 532954dac7de27147a10a706adf083963d3b8781
SHA256 f3fdbfd5d360d41fcbaa4ed5e5d213145bd7066ccdc88a349cf6a10845176cf5
SHA512 0aafd00a892897534a1e6d66d2033ff20d4fcb8a0b95c445eb3976ec02e1664cac618930354ed843e90ff4fcb5b5ccb5294d213422879eda4589e85fa7a97b18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 263e9d5df186979287a1bf6e03bd9fee
SHA1 3122cbe90ba97e179713177b106141f04a3f9159
SHA256 d022840d6ad396e9113c46525b24c9d7b2b0947ee0fa5cce13d06d9bce265f12
SHA512 3a9fdbd4f116726d819b103b9ad9f35252c4e7fc1c5af8519f3c8cdfc0d45e4efd6103e91bf93014d9f6f19c3f9d6778a91bc10471ba20f25726ae50f3bfff0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28d1b92887473e505a9fa2649e884eca
SHA1 740124b318fc68648fd9f58010720299fdf8ea03
SHA256 2a120491f4f3f22a0e2e55ce8de6ed5089e80745f3a68a630e5d133e9d51c273
SHA512 28927a94e7203640e0f283700695f464278034127ead2fce8711d448d6c4dcf8ad61a319ef3aa7f06895c448622b8752c0161c1803337ebb798386bf8a3f6e15

memory/1940-1539-0x0000000070E60000-0x000000007154E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:33

Reported

2023-10-12 15:23

Platform

win10v2004-20230915-en

Max time kernel

156s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\637D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6562.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5918.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6562.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 216 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 216 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 216 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 216 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 216 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3184 wrote to memory of 3392 N/A N/A C:\Users\Admin\AppData\Local\Temp\5918.exe
PID 3184 wrote to memory of 3392 N/A N/A C:\Users\Admin\AppData\Local\Temp\5918.exe
PID 3184 wrote to memory of 3392 N/A N/A C:\Users\Admin\AppData\Local\Temp\5918.exe
PID 3184 wrote to memory of 840 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BB8.exe
PID 3184 wrote to memory of 840 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BB8.exe
PID 3184 wrote to memory of 840 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BB8.exe
PID 3184 wrote to memory of 3956 N/A N/A C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 3956 N/A N/A C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\608D.exe
PID 3184 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\608D.exe
PID 3184 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\608D.exe
PID 3184 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\6205.exe
PID 3184 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\6205.exe
PID 3184 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\637D.exe
PID 3184 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\637D.exe
PID 3184 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\637D.exe
PID 3392 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\5918.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 3392 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\5918.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 3392 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\5918.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe
PID 3184 wrote to memory of 1468 N/A N/A C:\Users\Admin\AppData\Local\Temp\6562.exe
PID 3184 wrote to memory of 1468 N/A N/A C:\Users\Admin\AppData\Local\Temp\6562.exe
PID 3184 wrote to memory of 1468 N/A N/A C:\Users\Admin\AppData\Local\Temp\6562.exe
PID 5096 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 5096 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 5096 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe
PID 3956 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3956 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3976 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 3976 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 3976 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe
PID 3184 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6832.exe
PID 3184 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6832.exe
PID 3184 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6832.exe
PID 3184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\6CE6.exe
PID 3184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\6CE6.exe
PID 3184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\6CE6.exe
PID 3184 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F77.exe
PID 3184 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F77.exe
PID 3184 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F77.exe
PID 2376 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 2376 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 2376 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe
PID 3184 wrote to memory of 3588 N/A N/A C:\Users\Admin\AppData\Local\Temp\7209.exe
PID 3184 wrote to memory of 3588 N/A N/A C:\Users\Admin\AppData\Local\Temp\7209.exe
PID 3184 wrote to memory of 3588 N/A N/A C:\Users\Admin\AppData\Local\Temp\7209.exe
PID 3184 wrote to memory of 3924 N/A N/A C:\Users\Admin\AppData\Local\Temp\745B.exe
PID 3184 wrote to memory of 3924 N/A N/A C:\Users\Admin\AppData\Local\Temp\745B.exe
PID 3184 wrote to memory of 3924 N/A N/A C:\Users\Admin\AppData\Local\Temp\745B.exe
PID 2072 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 2072 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 2072 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe
PID 1400 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1400 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3184 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\82F3.exe
PID 3184 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\82F3.exe
PID 840 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe

"C:\Users\Admin\AppData\Local\Temp\acddb63a6639c22e0fa362dfc41f7f518e251be96ea2b7ca3d61793718879d18.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 252

C:\Users\Admin\AppData\Local\Temp\5918.exe

C:\Users\Admin\AppData\Local\Temp\5918.exe

C:\Users\Admin\AppData\Local\Temp\5BB8.exe

C:\Users\Admin\AppData\Local\Temp\5BB8.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5E1B.bat" "

C:\Users\Admin\AppData\Local\Temp\608D.exe

C:\Users\Admin\AppData\Local\Temp\608D.exe

C:\Users\Admin\AppData\Local\Temp\6205.exe

C:\Users\Admin\AppData\Local\Temp\6205.exe

C:\Users\Admin\AppData\Local\Temp\637D.exe

C:\Users\Admin\AppData\Local\Temp\637D.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

C:\Users\Admin\AppData\Local\Temp\6562.exe

C:\Users\Admin\AppData\Local\Temp\6562.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

C:\Users\Admin\AppData\Local\Temp\6832.exe

C:\Users\Admin\AppData\Local\Temp\6832.exe

C:\Users\Admin\AppData\Local\Temp\6CE6.exe

C:\Users\Admin\AppData\Local\Temp\6CE6.exe

C:\Users\Admin\AppData\Local\Temp\6F77.exe

C:\Users\Admin\AppData\Local\Temp\6F77.exe

C:\Users\Admin\AppData\Local\Temp\745B.exe

C:\Users\Admin\AppData\Local\Temp\745B.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

C:\Users\Admin\AppData\Local\Temp\7209.exe

C:\Users\Admin\AppData\Local\Temp\7209.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89db546f8,0x7ff89db54708,0x7ff89db54718

C:\Users\Admin\AppData\Local\Temp\82F3.exe

C:\Users\Admin\AppData\Local\Temp\82F3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 840 -ip 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89db546f8,0x7ff89db54708,0x7ff89db54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3180 -ip 3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 896 -ip 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 220

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 540

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,16712268703164820596,2359263071780681093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89db546f8,0x7ff89db54708,0x7ff89db54718

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6832.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6832.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ff89db546f8,0x7ff89db54708,0x7ff89db54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,15736977121356524863,6042900416302583960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.92.211:80 5.42.92.211 tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 52.210.141.111:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 111.141.210.52.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 84.53.175.67:443 mdec.nelreports.net tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.9:443 browser.events.data.microsoft.com tcp
US 20.189.173.9:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
IT 185.196.9.65:80 tcp
BG 171.22.28.202:16706 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 202.28.22.171.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

memory/4488-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4488-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3184-2-0x0000000007560000-0x0000000007576000-memory.dmp

memory/4488-4-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5918.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

C:\Users\Admin\AppData\Local\Temp\5918.exe

MD5 e52a30d0a60c29f5ab163dfe521df185
SHA1 bb3747167aa0ca5c75fd989d913aedd7d74a05ff
SHA256 0001093d18c7660b7d8e557b93eeeeb1bbcceb7069a369a1eac49cc01737ab06
SHA512 d462130abb6eb8eaf8bd2f7d9f96fe9a45240cba904ba2767000c52dd7f6b966a6d3eb51625350a95f92e1030e421e890081c0842b1c5364fc7452bf5423cd34

C:\Users\Admin\AppData\Local\Temp\5BB8.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\5BB8.exe

MD5 7a06af08168ee22dec9e1ce956586356
SHA1 435dadb3e98b39cba5473a8d2d7d53f7eca46e6c
SHA256 a5cf1265a3e0a01df83ff1ee86c974340695457d444013efa35e13b4b2ac7420
SHA512 5f0e6e5dbf7900cccfb39fef1df796fe1729849f46c226dac8829ac4131495725da7f5d2aededf467f2e9b09a7f053efd39ce5ad4766dcdf35c603dfbc52a98e

C:\Users\Admin\AppData\Local\Temp\5E1B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\608D.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

C:\Users\Admin\AppData\Local\Temp\6205.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2528-33-0x0000000000640000-0x000000000064A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6205.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\608D.exe

MD5 e37479ec728fbc1e48caa448ab9c8b75
SHA1 7ac8f4c52b7fe7a2b43d55ad532ded9e30b0fffe
SHA256 f44ea387dd58b2bc4ba640a73a8ad835bec6387682b0049ab35b25241f48f311
SHA512 5c0d1cbc4672c52ac5108215dd5fe037efab112e11cde051ca80acfa3758671389578048c69fbd7096284d22eb925afeee55c4fabc9ea0da176cab096a90901b

C:\Users\Admin\AppData\Local\Temp\637D.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

C:\Users\Admin\AppData\Local\Temp\637D.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS1kf7tj.exe

MD5 e61fb5f7b04a7f9ada6510aba6145bae
SHA1 3736014513e65fb606c3e91d3cff2fb3b587cfc4
SHA256 4b68f0baa4ca10e82e77ecb76d9d61dd6f9c459642f1d14863baf47d641fb86a
SHA512 e50c8a08604838204e1cd399d2e65a16783246098e4a58a2394503e8b583f8de103d407f4f87a4a40375bd9a026ab87f68372406f39929ef9183e1eb49c595e4

C:\Users\Admin\AppData\Local\Temp\6562.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\6562.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2528-53-0x00007FF8A0000000-0x00007FF8A0AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yu0uM2DP.exe

MD5 78ddd84827e193d9f272bf07143d1b41
SHA1 1294fe8aae0deefef077ec7442525486c8c0be2d
SHA256 1e074fb3717ca129762d51c012440807cc0858b3c9ad2d777409f525930350b5
SHA512 2fa44d7a466727c01303a924f58681d468a4d9e832e5ecfddc769e4334d3c054da423778264ff07627287edd6c6caf0b4c35487300263b85098f4fc41464181c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fb5Kg2lG.exe

MD5 b33d7edfc5c814c4da9dfb21490f0420
SHA1 c9fecae7c3d9e75b11057ffa662502aa31a754f7
SHA256 844f6b4ab7e14540553d8f08462b9e7456cbf2924da00211894887df3c0599c3
SHA512 06397cb3e52ec0df5488447045ef568f3fb495e8f6f4293d45236199d753c35298570856cb1c195e122ea018e1b3b30466e304ec4e13d1b1f7786d620f21bfd2

C:\Users\Admin\AppData\Local\Temp\6832.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\6CE6.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\6832.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\6F77.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/3444-77-0x00000000006C0000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

C:\Users\Admin\AppData\Local\Temp\7209.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

memory/3560-84-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F77.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/3560-89-0x00000000005D0000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj7RA8DZ.exe

MD5 2212241576464b07d2641012ecb68beb
SHA1 2cc35f4be8a835459ef3e508671353426e598f5f
SHA256 95cc015a7e97b18fd81deff03e9b31e537700c6c90e0ebc947f79e99dd92f9a9
SHA512 99b6cc62c930473ad7aec58c0ff8141c1f68f9005597811b6101fe2fa4844df7ec48295e689ad73a60fb7df8d2fae187e17443df1bdc6efa5fdab6c6d1df4c45

C:\Users\Admin\AppData\Local\Temp\745B.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

C:\Users\Admin\AppData\Local\Temp\745B.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\7209.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\6CE6.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kr63Fs9.exe

MD5 5ccaee1dcedc87915eee516995101794
SHA1 05fde259eb069f0bd6152b692c2fa47dcce176b7
SHA256 af307ebc2f3925c396f95a4ef2711e4420ac192c75908fc4390bbbeac64c3c1e
SHA512 754b9545c40bdb6fe509b8d1aa9aa5eea74e9e23638c2d9af7a1ba2316b9d0d67701d009d6852c9173a3024c0f33691fbeab795e47eac1aed66efb560b55b186

memory/3588-104-0x0000000001FB0000-0x000000000200A000-memory.dmp

memory/3588-103-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\82F3.exe

MD5 56cd504aff215b0c1c1805c5a85d6488
SHA1 e5d36b48e9d37578bd5e51f369f6fcc11c6544df
SHA256 f7e0f309d04b40a8c2e914c981315d5988e0994912f5d8f973e82ef2b1f5cc93
SHA512 dfd0cafd3a81021e5c8c1a74de009351927adab5204c38610f3515c58578ebbd40298b5bc2348c87bc9cb962a03a59cf74bf386f9daad75a76991e221bb24732

memory/3444-112-0x00000000006C0000-0x0000000000818000-memory.dmp

memory/776-113-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3168-114-0x0000000000400000-0x000000000043E000-memory.dmp

memory/776-115-0x0000000000400000-0x0000000000433000-memory.dmp

memory/776-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2528-121-0x00007FF8A0000000-0x00007FF8A0AC1000-memory.dmp

memory/776-122-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3444-123-0x00000000006C0000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 451fddf78747a5a4ebf64cabb4ac94e7
SHA1 6925bd970418494447d800e213bfd85368ac8dc9
SHA256 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d
SHA512 edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/2528-143-0x00007FF8A0000000-0x00007FF8A0AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/3980-144-0x0000000000400000-0x000000000043E000-memory.dmp

\??\pipe\LOCAL\crashpad_4740_ALEYTAVHIYHOBESG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/896-154-0x0000000000400000-0x0000000000433000-memory.dmp

memory/896-158-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3588-161-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/896-160-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3924-162-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/2568-177-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cd0e5e1d60b1f73e772c1439a1ffbd62
SHA1 9f101b8baf5396d4f1211862daf32aa8230867cc
SHA256 1945292d192000fba4278c759cc9660253f09074853adcd273989e9710014055
SHA512 73c82c3e273e7c1a0d7da14e4593293c523acd6f935016e3332154ef67371102c75cc215b4e879bbd3dae0ade582de1cc18fe714d652dc70f1ff7d489f062c37

memory/3168-178-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3980-181-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/3924-194-0x00000000007F0000-0x000000000084A000-memory.dmp

memory/2568-195-0x0000000000B10000-0x0000000000B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1680-214-0x00007FF613A40000-0x00007FF613D3F000-memory.dmp

memory/776-217-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 820fede1f4c07c291f3fe17ea07af3d0
SHA1 ede7e7b720218dd939d6dbf555bb60c1f095f4d0
SHA256 ca3d10a735b42f70e0a5d1b5d227999f3634620ae5b679c787d39c223ccadb95
SHA512 a6386b439beffe7de54e493f62704389c946b349a3ff25773bb709bdf005d1cd024a5dfce31e2a1ab1cfdba70a285cd1bef3e6b2e2a008d7369c6d3922b31104

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

MD5 9ccdae3be00be1a888c9695799839b7a
SHA1 14a49b29dfeae99c0793ed90c3379b25833b19eb
SHA256 bedefe96e193fa08f0b55213b98434a620c3ae0fd745326feb00d3741c0624bd
SHA512 296025c442880d4f0502b8735619548ff8969cdffa10b2dabcb26b30c69f2f2a7fb1ccb1f006e8acd98f041e9bf9578b03d077921da5fc46795f6409938f1dd5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IA999ZI.exe

MD5 9ccdae3be00be1a888c9695799839b7a
SHA1 14a49b29dfeae99c0793ed90c3379b25833b19eb
SHA256 bedefe96e193fa08f0b55213b98434a620c3ae0fd745326feb00d3741c0624bd
SHA512 296025c442880d4f0502b8735619548ff8969cdffa10b2dabcb26b30c69f2f2a7fb1ccb1f006e8acd98f041e9bf9578b03d077921da5fc46795f6409938f1dd5

memory/3924-223-0x0000000007BB0000-0x0000000008154000-memory.dmp

memory/5956-227-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/5956-228-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/3980-229-0x0000000007240000-0x00000000072D2000-memory.dmp

memory/1680-261-0x00007FF613A40000-0x00007FF613D3F000-memory.dmp

memory/6032-260-0x0000000000D10000-0x0000000000D43000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e5d84b86e9d4d496892a01c8dea6bc1f
SHA1 6d6269c2e5970ca7e6d69c48592583285f7ffef4
SHA256 5e45336ec9704638f3163057e55d833a9451333d3c6a68d2c05e3712c8d6c2d6
SHA512 271d61ac402039b65ce6259d7bca6fcf5efc64f03c9ade040b2af77b0077ed2faac762094f1cf3ac2cf0cf42bd466064c8faa3cedcec33f611466cc068ba3672

memory/2568-271-0x0000000005B10000-0x0000000006128000-memory.dmp

memory/6032-272-0x0000000000D10000-0x0000000000D43000-memory.dmp

memory/6032-269-0x0000000000D10000-0x0000000000D43000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 820fede1f4c07c291f3fe17ea07af3d0
SHA1 ede7e7b720218dd939d6dbf555bb60c1f095f4d0
SHA256 ca3d10a735b42f70e0a5d1b5d227999f3634620ae5b679c787d39c223ccadb95
SHA512 a6386b439beffe7de54e493f62704389c946b349a3ff25773bb709bdf005d1cd024a5dfce31e2a1ab1cfdba70a285cd1bef3e6b2e2a008d7369c6d3922b31104

memory/6032-234-0x0000000000D10000-0x0000000000D43000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/6032-231-0x0000000000D10000-0x0000000000D43000-memory.dmp

memory/2568-279-0x00000000054F0000-0x0000000005502000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6669997e2e2f098b3157d5418913c1d5
SHA1 58ce2f21a83dd8a5b88c7a48b041b68ab31e5f24
SHA256 b5faceb91ba94c849c406878f62009968769361cb5cbac35236365eff6ca65b8
SHA512 91eadaf24f9d93a9d094952b18536176422f78a04f279727170524a4fc43f1153d2847b6bbb68153a5854220d8fa5a08e597c2d92561d0c5fb7ab499b103b1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

memory/3168-337-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3588-358-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3924-359-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/2568-360-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3980-365-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

\??\pipe\LOCAL\crashpad_1400_ZYBURDVANWALMVXB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2bf841bbcf0a73764b5ca6e893915fc4
SHA1 c8ef4ed7b4fc667e89cc0cceb4d6e5995eb827c4
SHA256 9b21a866eb98c8ebcdb2d52e22edc64755b2290770feb7615a970a66df81543e
SHA512 959a93172b997ee341b66cfbfabb9caeeffed88d7a7e9ee5868d0cada9ae86a9767f5e704e8426e114732ae7f58e8d319b194586e6d189d042bad0fb185764c8

memory/2568-416-0x0000000005550000-0x000000000558C000-memory.dmp

memory/5956-418-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3980-422-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/3588-423-0x00000000076D0000-0x00000000076E0000-memory.dmp

memory/5956-421-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/3168-420-0x0000000007A40000-0x0000000007A50000-memory.dmp

memory/3924-419-0x0000000007970000-0x0000000007980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ba5993983cc749e5ca15d1df661f3717
SHA1 9a3d391476d31fcfd9a87aa4980d84201a3fffb2
SHA256 938de84fe8b5d864615891d1d06b532b158ab554d79eab830532a5f0202970e4
SHA512 ee42eb9cc4c967f335d0d748913e2d3a4667963eff4f127212483d63c21da3c1e2ed03ddf2badff52be08628bfb35cb4beeb9145bb0ccb578df92eca7d9d2739

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5ee66b30af97b21ab1cc840226266d40
SHA1 1b60acbdc9d8911d692cb2cce4e5f486a1b2c4ce
SHA256 8b6cf5f1961f6660342edb6d2e96e9d7791cc6470dfb10fc8ce9fa001634ca33
SHA512 8903103037bd7a6db33600c49a366d154f7623d38d9d2c0fb87a83c9a3fd14267e0905339539827dfaa5c5d3011a725ef305e2fce61c2081c6db3c56807dcfa5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f7c9.TMP

MD5 29a985e410f4c99ed20267ef04950bc1
SHA1 d50130e0f261a74202adfe2cfaa047aab502ebd9
SHA256 58e4b93bffb5fdbd17b262e18bf9f9bd04777f5c964031961d5e4bad447899f6
SHA512 136a78737b460bcd1d50fa0164999f415d438c0a4bafcdacd0cf4748641b2ae04cf40bc004ffff18f15d66c7eb89638f4de2e13a1d82fe0232454d329140adef

memory/2568-446-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/2568-447-0x0000000005590000-0x00000000055DC000-memory.dmp

memory/3168-449-0x0000000007A00000-0x0000000007A0A000-memory.dmp

memory/3924-465-0x0000000008270000-0x000000000837A000-memory.dmp

memory/3168-470-0x0000000007A40000-0x0000000007A50000-memory.dmp

memory/3924-469-0x0000000007970000-0x0000000007980000-memory.dmp

memory/5956-471-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/3980-472-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/3588-473-0x00000000076D0000-0x00000000076E0000-memory.dmp

memory/2568-478-0x00000000054E0000-0x00000000054F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9df38a0d9483c69b036c35efa32c77b6
SHA1 ca57731755e87d0703068d5663384af6240ae5bc
SHA256 3ef27b1c149a8b38bc94f440db5beb410b33fab5ec98bcf8c836f9479f5513e2
SHA512 0ed110746afba9a69ceeaf93196413261076e579216037ef3634e7a95789984309d8e5747d965d517fb9386d81a416c9a56a2119e21a6ba90b17f068696c9460

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b98bf93b433233c25c668d85fa31970
SHA1 3b4698ca58e68e751377f90892b33d11abfd7e76
SHA256 dcc4492d31747f2e7147af9b1bcfe9aa78cfafc33c1bf7532b56ec510865beac
SHA512 86ac131dc856863ec89c43e8f2079551965741045e0ae7e80fb77815aafc2ca6c5ae369094c116d4db339118e8001892a35660ff45e1f597b34a4bd212555b84

memory/3924-516-0x0000000008400000-0x0000000008466000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e7b5dea785193df706a4557688690ca5
SHA1 61e2c571225f7e7dfa8792f910ecc56885518d72
SHA256 17d6a25f6b6f6814add381ae78ba683ee623013211ed74428575dd3c5e35dfd6
SHA512 2b8666fdcfacb3b9e0d09d5a113d76575a434862ffe59a247d8165d2bdc2f2b2815fc30f1a89c15d4548a59fefbffc3ce0850a15e89c285724ecabea4a1966e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fa49105ab6c41ad5df0583f457887f30
SHA1 0dc6713ea3cf358e6117c925c2e7171173882d0f
SHA256 9dcfa788f9301ab05afdb26a4fcc6a3cf795019535ef6fa0f425af9797403dc0
SHA512 c80af44895967e388aad30b40c46b202f73e7c28dd7882eb20b8683cdaecef508c3106583636113f6f05aa25f002a88cf4c6c5d68f82fea42521103304b39259

memory/3588-531-0x00000000089F0000-0x0000000008A66000-memory.dmp

memory/2568-532-0x0000000006A10000-0x0000000006BD2000-memory.dmp

memory/2568-533-0x0000000007110000-0x000000000763C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7A09.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp7B38.tmp

MD5 5b39e7698deffeb690fbd206e7640238
SHA1 327f6e6b5d84a0285eefe9914a067e9b51251863
SHA256 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8
SHA512 f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7

C:\Users\Admin\AppData\Local\Temp\tmp7BE0.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp7C06.tmp

MD5 e1b7f691fa60e087edaa182f37c7b7e1
SHA1 54a78706b91ed012aa1558037cc9f3f1597f096f
SHA256 4d827a56d22117a9f53a86b79deca6833a040975138d4b62762dc2411b38df5f
SHA512 8bd42b681319e5574bb61bc88c99d1ff7de96977462ad957bb22b57dd2f95976adf62bd936680b16e37ed0a40b1227060c0c928e2107234a384b790b24408c6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 27ad3cc083511c8da23fa1304d843194
SHA1 1142f54b296110f9bab798ce5d1086c672e6f1e3
SHA256 ca3d920ddbf46a595256e755c4587bb2f4ba34aec49b77f9672fd9f169347027
SHA512 2feb003587d600772c118b1f66c038d468370773583200a9ad45074a882e24c34acc090856faffb84fe6a6505b17b65441a71c15f5bb4492c5eb5e3962517a65

memory/2568-625-0x0000000006930000-0x0000000006980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C85.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp7CC0.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/2568-682-0x0000000007000000-0x000000000701E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/3924-734-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/2568-735-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3168-733-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3588-736-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7a2c5290-f7dd-45af-b0f4-e2b36ef931d8.tmp

MD5 f595c1e06a7858314c53c44c2cae1f53
SHA1 a8a01b175894ebb0ab416461fd8c2047a6292c49
SHA256 931bce2b82dc18345035c1203e11b1a3b0328d8ae367b243a4c25f442264696e
SHA512 ab336afddabc2e847876682f453181f38b47f140d376a632db12d011c71d5f87dd7cf41981912245d9ce085eb2df607c073a65bb02af49b9ed056736d22bd0ef