Malware Analysis Report

2024-11-30 23:24

Sample ID 231012-pzyfqscf59
Target de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c
SHA256 de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c
Tags
amadey dcrat healer redline sectoprat smokeloader systembc @ytlogsbot breha kukish pixelscloud2.0 prets backdoor dropper evasion infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c

Threat Level: Known bad

The file de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader systembc @ytlogsbot breha kukish pixelscloud2.0 prets backdoor dropper evasion infostealer persistence rat spyware stealer trojan

Amadey

Healer

Detects Healer an antivirus disabler dropper

SmokeLoader

RedLine payload

SectopRAT payload

SystemBC

Modifies Windows Defender Real-time Protection settings

DcRat

RedLine

SectopRAT

Looks for VirtualBox Guest Additions in registry

Downloads MZ/PE file

Looks for VMWare Tools registry key

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Uses the VBS compiler for execution

Loads dropped DLL

.NET Reactor proctector

Checks BIOS information in registry

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 12:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 12:46

Reported

2023-10-16 03:30

Platform

win7-20230831-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2468 set thread context of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2420 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe

"C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 92

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 200

Network

N/A

Files

memory/2420-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-4-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-3-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2420-5-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-7-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-9-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2420-11-0x0000000000400000-0x000000000053D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 12:46

Reported

2023-10-16 03:31

Platform

win10v2004-20230915-en

Max time kernel

122s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\2155.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\2155.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2155.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3357420.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7E0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3357420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DABC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pd9AT8Ax.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DED5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly4Vg9xo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2AF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kl9vi6ZY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\ProgramData\lrrkd\oehxux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly4Vg9xo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kl9vi6ZY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D8C7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pd9AT8Ax.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe" C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2155.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3604 set thread context of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 set thread context of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 set thread context of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 set thread context of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 460 set thread context of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\DABC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2916 set thread context of 2040 N/A C:\Users\Admin\AppData\Local\Temp\DED5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 set thread context of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3476 set thread context of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3348 set thread context of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2268 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\FA23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 set thread context of 6140 N/A C:\Users\Admin\AppData\Local\Temp\2155.exe C:\Users\Admin\AppData\Local\Temp\2155.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\oehxux.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
File opened for modification C:\Windows\Tasks\oehxux.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2155.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2155.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3228 wrote to memory of 4488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe
PID 3228 wrote to memory of 4488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe
PID 3228 wrote to memory of 4488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe
PID 4488 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe
PID 4488 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe
PID 4488 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe
PID 444 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe
PID 444 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe
PID 444 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe
PID 3936 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe
PID 3936 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe
PID 3936 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe
PID 460 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe
PID 460 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe
PID 460 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 820 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 460 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe
PID 460 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe
PID 460 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3936 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe
PID 3936 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe
PID 3936 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe
PID 4252 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4252 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe
PID 444 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe
PID 444 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe
PID 2660 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 2660 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 2660 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 4488 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe
PID 4488 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe
PID 4488 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe

"C:\Users\Admin\AppData\Local\Temp\de233530407e7ea1b9706d75f4a121b5572ca856b73c0174911cc6c7d34a780c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3604 -ip 3604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 820 -ip 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3816 -ip 3816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 208

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3476 -ip 3476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3357420.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3357420.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

"C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 148

C:\Users\Admin\AppData\Local\Temp\D8C7.exe

C:\Users\Admin\AppData\Local\Temp\D8C7.exe

C:\Users\Admin\AppData\Local\Temp\DABC.exe

C:\Users\Admin\AppData\Local\Temp\DABC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DB98.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\DED5.exe

C:\Users\Admin\AppData\Local\Temp\DED5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly4Vg9xo.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly4Vg9xo.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\E00E.exe

C:\Users\Admin\AppData\Local\Temp\E00E.exe

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

"C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 140

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

"C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"

C:\Users\Admin\AppData\Local\Temp\E2AF.exe

C:\Users\Admin\AppData\Local\Temp\E2AF.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1820 -ip 1820

C:\Users\Admin\AppData\Local\Temp\E86D.exe

C:\Users\Admin\AppData\Local\Temp\E86D.exe

C:\Users\Admin\AppData\Local\Temp\EA81.exe

C:\Users\Admin\AppData\Local\Temp\EA81.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 192

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\ED70.exe

C:\Users\Admin\AppData\Local\Temp\ED70.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3476 -ip 3476

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5100 -ip 5100

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3348 -ip 3348

C:\Users\Admin\AppData\Local\Temp\FA23.exe

C:\Users\Admin\AppData\Local\Temp\FA23.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 208

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

"C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\7E0.exe

C:\Users\Admin\AppData\Local\Temp\7E0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b02c46f8,0x7ff8b02c4708,0x7ff8b02c4718

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\2155.exe

C:\Users\Admin\AppData\Local\Temp\2155.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b02c46f8,0x7ff8b02c4708,0x7ff8b02c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1

C:\ProgramData\lrrkd\oehxux.exe

C:\ProgramData\lrrkd\oehxux.exe start2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12796409907610933836,14789592244076832570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\2155.exe

C:\Users\Admin\AppData\Local\Temp\2155.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SYSTEM32\cmd.exe

cmd /c

C:\Windows\system32\runas.exe

runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\2155.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Skype.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM browser.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\system32\taskkill.exe

taskkill /F /IM iridium.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\taskkill.exe

taskkill /F /IM uran.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\system32\taskkill.exe

taskkill /F /IM epic.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM sputnik.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 7star.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM centbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM amigo.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM torch.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM kometa.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM orbitum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM viber.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM WhatsApp.exe.

C:\Windows\system32\taskkill.exe

taskkill /F /IM monero-wallet-gui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM coinomi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bytecoinwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM armoryqt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM atomicwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM exodus.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM electrum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dash-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM litecoin-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b0a99758,0x7ff8b0a99768,0x7ff8b0a99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4576 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4780 --field-trial-handle=1892,i,16575786055722142136,9990991705716672057,131072 /prefetch:8

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
NL 85.209.176.128:80 85.209.176.128 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 128.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
DE 172.217.23.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com tcp
N/A 127.0.0.1:3389 tcp

Files

memory/3228-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3228-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3228-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3228-3-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe

MD5 cd004afc087c8756aeb51449d71a5ca4
SHA1 e5de751a38a6ab3efdb3ca2b6c864659d687889b
SHA256 a7f51fd8432c740bb6e51d84b4668ea52cbcb124e9ef911d9a4448ce801abd2c
SHA512 60f602c134847059fd82ea994a736d13b6d1c3bc2b36cd132b67c8c455fcaef36fae58718867612ecd531fce079f9f4d1a9a2fe9597e7cb81ff8f545c964617e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5316482.exe

MD5 cd004afc087c8756aeb51449d71a5ca4
SHA1 e5de751a38a6ab3efdb3ca2b6c864659d687889b
SHA256 a7f51fd8432c740bb6e51d84b4668ea52cbcb124e9ef911d9a4448ce801abd2c
SHA512 60f602c134847059fd82ea994a736d13b6d1c3bc2b36cd132b67c8c455fcaef36fae58718867612ecd531fce079f9f4d1a9a2fe9597e7cb81ff8f545c964617e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe

MD5 2ee582b14da193ae21839cfdc4253daf
SHA1 5089e596d864fba183ea1f2f6e6908c8fe704ca5
SHA256 527b0ef57b55dafbcfd80d05be06be51a999084468198020bca097eddf15503c
SHA512 ad587bda3544884bb21c44742c59cdf5a27bfbe45087a3c40f51be4afbae08f2339ff166dbfa87e375b042a7f15597ae54d89338126f91989d854fe8d390920d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0512678.exe

MD5 2ee582b14da193ae21839cfdc4253daf
SHA1 5089e596d864fba183ea1f2f6e6908c8fe704ca5
SHA256 527b0ef57b55dafbcfd80d05be06be51a999084468198020bca097eddf15503c
SHA512 ad587bda3544884bb21c44742c59cdf5a27bfbe45087a3c40f51be4afbae08f2339ff166dbfa87e375b042a7f15597ae54d89338126f91989d854fe8d390920d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe

MD5 72f922bcdd311256fa8dac13ab933fd2
SHA1 11d3c256e8d73c4e180f773f5d57bf2e52d620d5
SHA256 1a89ac9b1a6ff035aefd7c289a1460f86127eda57c9b0d56c0de22888dce4f1f
SHA512 07dff433267089087d40e658de9665fceef05f1d28638af852d6a36ff50d2c02a2a8bd8bc384e30a3c1a725c8be2cb2a85a563f013bb390d25d42f1e7128ff25

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9771853.exe

MD5 72f922bcdd311256fa8dac13ab933fd2
SHA1 11d3c256e8d73c4e180f773f5d57bf2e52d620d5
SHA256 1a89ac9b1a6ff035aefd7c289a1460f86127eda57c9b0d56c0de22888dce4f1f
SHA512 07dff433267089087d40e658de9665fceef05f1d28638af852d6a36ff50d2c02a2a8bd8bc384e30a3c1a725c8be2cb2a85a563f013bb390d25d42f1e7128ff25

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe

MD5 9525df7ce10456f5a8041fa685286662
SHA1 df9d348806ef00b88366920828b7c4f445cd7658
SHA256 39a73c699f01e71785496a51bb0bf88a52722933d8a5bce3b7aef902e8bedcc9
SHA512 8a41eac86dfeaed03284678a2000355815a18eda3324c137b53e43583dbc2139459563502e275b705570b5e55a5f98c2e3435a97054aa5cd790c8a7e0aebd7f7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7055045.exe

MD5 9525df7ce10456f5a8041fa685286662
SHA1 df9d348806ef00b88366920828b7c4f445cd7658
SHA256 39a73c699f01e71785496a51bb0bf88a52722933d8a5bce3b7aef902e8bedcc9
SHA512 8a41eac86dfeaed03284678a2000355815a18eda3324c137b53e43583dbc2139459563502e275b705570b5e55a5f98c2e3435a97054aa5cd790c8a7e0aebd7f7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe

MD5 3ec18e3b8415b7970b8440e63effea3a
SHA1 fdad1b5136064292dac998d335757184c3ef15ef
SHA256 89f80bd358b0a27ca890c86eaeb5e6dbf52a04d8966ca69ca3d4edf0f9630730
SHA512 56cea18222ad8d15134c0f3bb96cd91fb78cd700b8aa3d1f3d88c2ea2911a0cea77973285e511019f8b4d54ac5eed4a43c4d6348ba4d516c44fcb5eb6ef3a426

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2705951.exe

MD5 3ec18e3b8415b7970b8440e63effea3a
SHA1 fdad1b5136064292dac998d335757184c3ef15ef
SHA256 89f80bd358b0a27ca890c86eaeb5e6dbf52a04d8966ca69ca3d4edf0f9630730
SHA512 56cea18222ad8d15134c0f3bb96cd91fb78cd700b8aa3d1f3d88c2ea2911a0cea77973285e511019f8b4d54ac5eed4a43c4d6348ba4d516c44fcb5eb6ef3a426

memory/180-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3228-40-0x0000000000400000-0x000000000053D000-memory.dmp

memory/180-41-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe

MD5 7eb2fbc1fa8618b07002e12af454b9d7
SHA1 ba1064443ad66ec9b4b1d967446857c3161cd631
SHA256 c2537692e783969685eb4e734b556e654871afa26702247d3d3d6b45d720ee69
SHA512 057574be7c561af8749376297b44e2e4cc57a31d16cb6622d4c5a0d0c2c3e85c32405d6f2bfca4d2c55b517af952e69380d6ed54a3a4ac2829cb5e08659d6a5f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9809833.exe

MD5 7eb2fbc1fa8618b07002e12af454b9d7
SHA1 ba1064443ad66ec9b4b1d967446857c3161cd631
SHA256 c2537692e783969685eb4e734b556e654871afa26702247d3d3d6b45d720ee69
SHA512 057574be7c561af8749376297b44e2e4cc57a31d16cb6622d4c5a0d0c2c3e85c32405d6f2bfca4d2c55b517af952e69380d6ed54a3a4ac2829cb5e08659d6a5f

memory/3816-45-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3816-46-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3816-47-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3816-49-0x0000000000400000-0x000000000042F000-memory.dmp

memory/180-52-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe

MD5 214911869178418af48391b789d76288
SHA1 ac1b6c24a0e3286b308661afe63caa05a283963d
SHA256 14cbd623301a72e96c9bf319cefba1338716f96cd5dae3983ee89e093fbde6f8
SHA512 2e22b0f22c617e6bce559afb0d80063214d67ced3d4a6b3d3821e0f0943dbd0648efd17393c8b97b4e7075f370d7bc416345e5d00c9bb0e762d7a6269b51cdb3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5492782.exe

MD5 214911869178418af48391b789d76288
SHA1 ac1b6c24a0e3286b308661afe63caa05a283963d
SHA256 14cbd623301a72e96c9bf319cefba1338716f96cd5dae3983ee89e093fbde6f8
SHA512 2e22b0f22c617e6bce559afb0d80063214d67ced3d4a6b3d3821e0f0943dbd0648efd17393c8b97b4e7075f370d7bc416345e5d00c9bb0e762d7a6269b51cdb3

memory/1048-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1048-55-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9643683.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

memory/3184-61-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/1048-62-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe

MD5 11ea600cec9655a83cca637b450e08a3
SHA1 5da9d4b028e6bb1248188aa5b4bc76463a6a53c5
SHA256 c9453330123864a214d0dfb594714bb39f39e3de64ebe7b75f0a11f84bdeb227
SHA512 cc99f6f0bd36fb139133917e32149b84ccf7583d19c3e1588e0e6faaa2ba0d469da537a08d9fc630dab81d9c2d8a3497184f79fe73a4f9885d949d69c3756bc0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1277284.exe

MD5 11ea600cec9655a83cca637b450e08a3
SHA1 5da9d4b028e6bb1248188aa5b4bc76463a6a53c5
SHA256 c9453330123864a214d0dfb594714bb39f39e3de64ebe7b75f0a11f84bdeb227
SHA512 cc99f6f0bd36fb139133917e32149b84ccf7583d19c3e1588e0e6faaa2ba0d469da537a08d9fc630dab81d9c2d8a3497184f79fe73a4f9885d949d69c3756bc0

memory/3504-75-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3504-76-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/3504-77-0x0000000005560000-0x0000000005566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3357420.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3357420.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/3228-90-0x0000000000400000-0x000000000053D000-memory.dmp

memory/180-92-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

memory/3976-98-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 ed68db3e61b1eab8d1de76b206b4a49d
SHA1 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d
SHA256 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850
SHA512 b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 ed68db3e61b1eab8d1de76b206b4a49d
SHA1 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d
SHA256 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850
SHA512 b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 ed68db3e61b1eab8d1de76b206b4a49d
SHA1 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d
SHA256 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850
SHA512 b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52

memory/3980-116-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3504-121-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8C7.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

C:\Users\Admin\AppData\Local\Temp\D8C7.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

memory/3976-126-0x0000000005340000-0x0000000005350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DABC.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

memory/3976-130-0x0000000005200000-0x0000000005236000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

memory/3976-148-0x0000000005340000-0x0000000005350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DABC.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\DED5.exe

MD5 cb6e2f389f21e3ea466698a289e5089c
SHA1 8f3c17c72b7a4813883bffa8d600848fa4d7930c
SHA256 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37
SHA512 ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 0c37d9cb86e3e66f48608b6015f2dd0c
SHA1 9eb94f6fd734a914b3e764f7580b921025df6d25
SHA256 c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb
SHA512 dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62

C:\Users\Admin\AppData\Local\Temp\E00E.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

memory/5028-171-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E00E.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/5028-180-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

memory/5028-189-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1752-206-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/5028-205-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2AF.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 0c37d9cb86e3e66f48608b6015f2dd0c
SHA1 9eb94f6fd734a914b3e764f7580b921025df6d25
SHA256 c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb
SHA512 dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62

C:\Users\Admin\AppData\Local\Temp\E2AF.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1752-201-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB98.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\DED5.exe

MD5 cb6e2f389f21e3ea466698a289e5089c
SHA1 8f3c17c72b7a4813883bffa8d600848fa4d7930c
SHA256 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37
SHA512 ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 0c37d9cb86e3e66f48608b6015f2dd0c
SHA1 9eb94f6fd734a914b3e764f7580b921025df6d25
SHA256 c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb
SHA512 dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62

memory/1752-219-0x00000000023E0000-0x0000000002400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

memory/5028-220-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

memory/2040-223-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Temp\E86D.exe

MD5 bd11f2559ac0485e2c05cdb9a632f475
SHA1 68a0d8fa32aa70c02978cf903f820ec67a7973d3
SHA256 d77617d6633bee3d878ec0e24576868511d446f47bdb4ef644fdb8849ba7e497
SHA512 d0490bc8f90b9cf640e53e70fb64d37cfe35516bc2034bacbd5044c187663078b7e0cfe0382c878cdc4c699155c879ec608ed55eac8aaea873930aeb3bd10b04

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

memory/2040-234-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/4700-236-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4700-233-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA81.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/4700-239-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3980-246-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\4Ly148ql.exe

MD5 cb6e2f389f21e3ea466698a289e5089c
SHA1 8f3c17c72b7a4813883bffa8d600848fa4d7930c
SHA256 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37
SHA512 ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e

C:\Users\Admin\AppData\Local\Temp\EA81.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

C:\Users\Admin\AppData\Local\Temp\E86D.exe

MD5 bd11f2559ac0485e2c05cdb9a632f475
SHA1 68a0d8fa32aa70c02978cf903f820ec67a7973d3
SHA256 d77617d6633bee3d878ec0e24576868511d446f47bdb4ef644fdb8849ba7e497
SHA512 d0490bc8f90b9cf640e53e70fb64d37cfe35516bc2034bacbd5044c187663078b7e0cfe0382c878cdc4c699155c879ec608ed55eac8aaea873930aeb3bd10b04

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

memory/3184-242-0x00000000087C0000-0x00000000087D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

memory/2040-259-0x00000000079B0000-0x0000000007F54000-memory.dmp

memory/5100-262-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

memory/2380-272-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

memory/5100-265-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED70.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3976-261-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED70.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2380-273-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/1232-275-0x0000000000C20000-0x0000000000C7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

memory/1232-276-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/912-278-0x0000000000400000-0x000000000046E000-memory.dmp

memory/5100-274-0x0000000000400000-0x0000000000432000-memory.dmp

memory/912-280-0x0000000000570000-0x00000000005CA000-memory.dmp

memory/2040-279-0x00000000074A0000-0x0000000007532000-memory.dmp

memory/1752-285-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3976-291-0x0000000005980000-0x0000000005FA8000-memory.dmp

memory/3976-290-0x0000000005340000-0x0000000005350000-memory.dmp

memory/912-292-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/3976-293-0x0000000005340000-0x0000000005350000-memory.dmp

memory/1752-294-0x0000000004990000-0x00000000049AE000-memory.dmp

memory/3020-305-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3020-304-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2268-308-0x0000000000BF0000-0x0000000000DDA000-memory.dmp

memory/1752-307-0x0000000073B30000-0x00000000742E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/3020-309-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1752-317-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/2040-318-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/2268-319-0x0000000000BF0000-0x0000000000DDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

MD5 fa1fb003b8579fce1ec837487a842c35
SHA1 a7182b39581d3036c287ca54aa5b8cd41720d2cc
SHA256 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138
SHA512 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c

memory/4408-327-0x00000000002E0000-0x000000000031E000-memory.dmp

memory/2708-329-0x0000000000560000-0x00000000009B8000-memory.dmp

memory/2380-328-0x0000000005B90000-0x00000000061A8000-memory.dmp

memory/4408-326-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/2380-330-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/1232-332-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/2108-331-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2380-336-0x0000000005590000-0x00000000055A2000-memory.dmp

memory/2708-338-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/2268-339-0x0000000000BF0000-0x0000000000DDA000-memory.dmp

memory/2108-340-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/1752-341-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-342-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-344-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-347-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-349-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-351-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-352-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/1752-354-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-356-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-358-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1752-360-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/912-373-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/1752-376-0x0000000004B70000-0x0000000004B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/2336-384-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/4216-387-0x0000020D5EC70000-0x0000020D5F180000-memory.dmp

memory/3976-401-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/4216-402-0x0000020D795C0000-0x0000020D79952000-memory.dmp

memory/2380-405-0x00000000055F0000-0x000000000562C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9639d829f5d2ac429de7ffa22efc1fef
SHA1 4ff7cc4ac36a31f29f8c098faa18fb9fb19d9376
SHA256 525c33a1f4276e0767d3899036cd70ee02f46e1022722502ccfb8fbf8c43df16
SHA512 9f2e299e50ec99a616f370e7d3c54c0dd16737ccee3be2f07e75f6f7cc7c5b337bf2a173f0af9ad799d527cb23b134a7b9c9a24e4d92e29b263fd73d16fc6ee7

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3976-423-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/4216-425-0x00007FF89FFA0000-0x00007FF8A0A61000-memory.dmp

memory/2708-426-0x0000000073B30000-0x00000000742E0000-memory.dmp

memory/3976-436-0x0000000006060000-0x00000000060C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjvbpwno.1qd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 25b0b0cabdbd148acf5abbf156aa5403
SHA1 e9a5144989c682cf1f69b8c7b36d68f41bedc108
SHA256 b46f36dc20d8d4d05c7e797962199860bd7457e4b0a636f885813627d8e364a8
SHA512 c0a46de5559886acf7cb8086ebb8abab236090efe69602812967afef47a4255a7cfae66250b1b02ef70b1472a0113696b9526b7fb30d80671666a2cb1d545c53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3945036ca785a08a1391255cacc698fa
SHA1 efd67a0938e2706dffbe8bc6b7c04daefd6450bf
SHA256 dc515f38f17b6028e689a023a859213716f47f18e71911492516d4b910e2bf10
SHA512 50e3173982949c3a501d1ffe01deca76c855450a802d6121c41b84888e15d661624cfa208126ca173aad5460e744a308e46bd08f6b1239427b87ece43eeaecda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0c459e65bcc6d38574f0c0d63a87088a
SHA1 41e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256 871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512 be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2ac6d3fcf6913b1a1ac100407e97fccb
SHA1 809f7d4ed348951b79745074487956255d1d0a9a
SHA256 30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA512 79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c7da20bbffbb4f72578ba4ea670107b0
SHA1 5f96f82fe7ee9207cabe171d6fca62da094fa7e8
SHA256 e0725099ac29c4fe1cb9c44d0dcb5c0cd07f89475de4c5954c6a93cc62ba5252
SHA512 5ed738b86451bae8143ec0566fdbfc314664f42646aabf0e7935b43d23e12e92bcae8b7611dcb18906160956df9bd658a0c1c41f19f4ae8669cf109195dbfeb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6ee706de98f64472db591444a5f2fa3
SHA1 90ba01bdfa54cf0c7b66b40f16ff759da12a97d7
SHA256 b6a5ca19140b0064d1bc82548cd9c5578eb0872c2eb072d154cf137bde8fd53f
SHA512 f570d394e98ae07ab191ebf57075dffc4ae4870057a8f3cec2b15d7cf99f9d2fd7656ecce9d468c88381f5da1e23871ec4d44d717a88fee09c5b7b4c2f9afba6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 317276c987fbbf57b14077f9be1b6800
SHA1 17e9ecc1ace34f611420a17cf82b74e2dbf11d15
SHA256 b7b2274aeee2a071f716ce9309047d48fce0cffd338315b0b44cd52d5ccbc3ef
SHA512 8db13c79ca202fe201cc5052ab657e35abc9395486b385eadcf5f8ab2eca87dc07526560d48256f67cd46c00b065491565c503771c9433fd9f4d98532d98419c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5997a2.TMP

MD5 011988669d37d586343162992343b132
SHA1 8fe6ebdc62e8528fb79d807cdefa7ba85b17d97f
SHA256 f0cd49d918611beaf2cb9f34e2baa098972d999f60fb9a67214b31e6f8c9b037
SHA512 73efe3f0f6febca3e363d93ff30a7bcfe00492b9f719fb966723adae107159b3888a55cd7ab78fb0e15e516cbfa862667d63d616c8b5b1360d3e958c8f2b4bd5

C:\Users\Admin\AppData\Local\Temp\tmpDBB1.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpDBF6.tmp

MD5 5b39e7698deffeb690fbd206e7640238
SHA1 327f6e6b5d84a0285eefe9914a067e9b51251863
SHA256 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8
SHA512 f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7

C:\Users\Admin\AppData\Local\Temp\tmpDC60.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpDC75.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpDC8B.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpDD04.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\NL10.127.0.112\Microsoft Edge\autofill.txt

MD5 2a76b3e934844a2a713d509f764db633
SHA1 3c190760fc63f72319dcc8535626e5f4cf6f46ff
SHA256 0d4d39a3d65d961dbd5df255f4cf69ab6b87076a9a366a8db723c98b7bbf20f2
SHA512 6d8f86a39dacb158cba5956610578f3e9873d66547e62cb491c440b108062cae2c35d16e292fd2f528d70ed9e5814c8916f4ada9f551498a5366fb709a9b1a82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5d3481dd34099dd44e204ec67054f969
SHA1 75fc989a6b3172a48f8ac5390b1eadfd7303c774
SHA256 a0080d0730ec7372452929c3f9cb5f7636f984e103e9db7826581a7c8670fd5b
SHA512 f9705490c78dfd472d1c6e5a8d8a24fa79e7911495516c2d9db3e777b8deddacda0e3b41a5f5939eac4d3a4304bcde5efaf1ed768e918911d5610a8b8c719cd7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 76de7f24c50012e05bdf038cf31b4554
SHA1 69ff4ae81ce757b91634adc9d6ba055871dd3077
SHA256 6c1406c6702b674d9a937328fac1a4a53137d36bb117e54a3cd697855b6a1926
SHA512 6a00253a83de37ffb31c523b3d127406f47cc90780ecdeb275f57adbef1f8040713e2e9344fe6a2476f56689081be75b477a2e5d91758b0771c1c64d86be70b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a5d60aeab12a6d593016c16e8122638f
SHA1 0c68d791e8054e3ce3751205492df6c65831fb83
SHA256 5a073f6f08a46b1cb67d82eb6213ea5f1fcc4afe925450eddbf9d8c922660fc5
SHA512 015223164ecea77e76d330d6eaf4b5ec3379d2933693061866035fed2c627e0dd24d86bd4408b755160a79684fea4c1b50a6d66f0965c0c56829d0afb794205b