Analysis Overview
SHA256
1a0824a466dc05e4cf37bdd04072487942a7b7160a81c88abc26f593197854e3
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
RedLine
Healer
SmokeLoader
Amadey
SectopRAT payload
SectopRAT
DcRat
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Windows security modification
Uses the VBS compiler for execution
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Detected potential entity reuse from brand microsoft.
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 14:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 14:39
Reported
2023-10-12 14:41
Platform
win7-20230831-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2720 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 272
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
| MD5 | 38cd41a598692b23d66f8c0f64cc06ee |
| SHA1 | ffc771b0fc265351137ed5efe18ecf624a1c4961 |
| SHA256 | d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15 |
| SHA512 | 097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
| MD5 | 38cd41a598692b23d66f8c0f64cc06ee |
| SHA1 | ffc771b0fc265351137ed5efe18ecf624a1c4961 |
| SHA256 | d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15 |
| SHA512 | 097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
| MD5 | 38cd41a598692b23d66f8c0f64cc06ee |
| SHA1 | ffc771b0fc265351137ed5efe18ecf624a1c4961 |
| SHA256 | d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15 |
| SHA512 | 097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
| MD5 | 38cd41a598692b23d66f8c0f64cc06ee |
| SHA1 | ffc771b0fc265351137ed5efe18ecf624a1c4961 |
| SHA256 | d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15 |
| SHA512 | 097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
| MD5 | 5f37239d82fa00bab08d877604de6233 |
| SHA1 | 5b4a0df32e1bfc1bd16758a7a3661d18506213c6 |
| SHA256 | fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9 |
| SHA512 | d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
| MD5 | 5f37239d82fa00bab08d877604de6233 |
| SHA1 | 5b4a0df32e1bfc1bd16758a7a3661d18506213c6 |
| SHA256 | fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9 |
| SHA512 | d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
| MD5 | 5f37239d82fa00bab08d877604de6233 |
| SHA1 | 5b4a0df32e1bfc1bd16758a7a3661d18506213c6 |
| SHA256 | fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9 |
| SHA512 | d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
| MD5 | 5f37239d82fa00bab08d877604de6233 |
| SHA1 | 5b4a0df32e1bfc1bd16758a7a3661d18506213c6 |
| SHA256 | fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9 |
| SHA512 | d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
| MD5 | 744ec0b6b09691ec528dc493ec4f11e3 |
| SHA1 | ae7d507d9b82a6df6abd7a3569c929785a0daa83 |
| SHA256 | 258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65 |
| SHA512 | bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
| MD5 | 744ec0b6b09691ec528dc493ec4f11e3 |
| SHA1 | ae7d507d9b82a6df6abd7a3569c929785a0daa83 |
| SHA256 | 258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65 |
| SHA512 | bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
| MD5 | 744ec0b6b09691ec528dc493ec4f11e3 |
| SHA1 | ae7d507d9b82a6df6abd7a3569c929785a0daa83 |
| SHA256 | 258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65 |
| SHA512 | bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
| MD5 | 744ec0b6b09691ec528dc493ec4f11e3 |
| SHA1 | ae7d507d9b82a6df6abd7a3569c929785a0daa83 |
| SHA256 | 258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65 |
| SHA512 | bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
memory/2660-41-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2660-40-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2660-43-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2660-42-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2660-45-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2660-44-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2660-49-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2660-47-0x0000000000400000-0x000000000040A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 14:39
Reported
2023-10-12 14:42
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
161s
Command Line
Signatures
Amadey
DcRat
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ND6kG0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DA91.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DE3C.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E215.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E215.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lh9ar3Fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\PF8Hi7lQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kb5Sm3Lc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq6ag9tV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\CF03.exe | N/A |
Checks installed software on the system
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D744.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2988 -ip 2988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 600
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qe6303.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qe6303.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3324 -ip 3324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4260 -ip 4260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 548
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gQ74Su.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gQ74Su.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4JM949lC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4JM949lC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1204 -ip 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 136
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ND6kG0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ND6kG0.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8FE7.tmp\8FE8.tmp\8FE9.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ND6kG0.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9f1eb46f8,0x7ff9f1eb4708,0x7ff9f1eb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9f1eb46f8,0x7ff9f1eb4708,0x7ff9f1eb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5294471697860477303,8257428847916802055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5294471697860477303,8257428847916802055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv viuEVAx4rkezxCtnCvXFJA.0.2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\CF03.exe
C:\Users\Admin\AppData\Local\Temp\CF03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq6ag9tV.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq6ag9tV.exe
C:\Users\Admin\AppData\Local\Temp\D0F8.exe
C:\Users\Admin\AppData\Local\Temp\D0F8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lh9ar3Fc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lh9ar3Fc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D232.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\PF8Hi7lQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\PF8Hi7lQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kb5Sm3Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kb5Sm3Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1zh03sw3.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1zh03sw3.exe
C:\Users\Admin\AppData\Local\Temp\D649.exe
C:\Users\Admin\AppData\Local\Temp\D649.exe
C:\Users\Admin\AppData\Local\Temp\D744.exe
C:\Users\Admin\AppData\Local\Temp\D744.exe
C:\Users\Admin\AppData\Local\Temp\DA91.exe
C:\Users\Admin\AppData\Local\Temp\DA91.exe
C:\Users\Admin\AppData\Local\Temp\DE3C.exe
C:\Users\Admin\AppData\Local\Temp\DE3C.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\E215.exe
C:\Users\Admin\AppData\Local\Temp\E215.exe
C:\Users\Admin\AppData\Local\Temp\E41A.exe
C:\Users\Admin\AppData\Local\Temp\E41A.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f1eb46f8,0x7ff9f1eb4708,0x7ff9f1eb4718
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\EA74.exe
C:\Users\Admin\AppData\Local\Temp\EA74.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\EFB4.exe
C:\Users\Admin\AppData\Local\Temp\EFB4.exe
C:\Users\Admin\AppData\Local\Temp\F2C3.exe
C:\Users\Admin\AppData\Local\Temp\F2C3.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5408 -ip 5408
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 804
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9f1eb46f8,0x7ff9f1eb4708,0x7ff9f1eb4718
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1908 -ip 1908
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 136
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=EFB4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6032 -ip 6032
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f1eb46f8,0x7ff9f1eb4708,0x7ff9f1eb4718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 556
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 272
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3620 -ip 3620
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2sP737kK.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2sP737kK.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2576 -ip 2576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 260
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f1eb46f8,0x7ff9f1eb4708,0x7ff9f1eb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=EFB4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5287695856654666366,14101995709624630962,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| GB | 157.240.221.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| GB | 157.240.221.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| IT | 185.196.9.65:80 | tcp | |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| TR | 185.216.70.238:37515 | tcp | |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 238.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 98.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| IE | 52.17.210.114:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | 114.210.17.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.5:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 20.189.173.5:443 | browser.events.data.microsoft.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
| MD5 | 38cd41a598692b23d66f8c0f64cc06ee |
| SHA1 | ffc771b0fc265351137ed5efe18ecf624a1c4961 |
| SHA256 | d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15 |
| SHA512 | 097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe
| MD5 | 38cd41a598692b23d66f8c0f64cc06ee |
| SHA1 | ffc771b0fc265351137ed5efe18ecf624a1c4961 |
| SHA256 | d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15 |
| SHA512 | 097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
| MD5 | 5f37239d82fa00bab08d877604de6233 |
| SHA1 | 5b4a0df32e1bfc1bd16758a7a3661d18506213c6 |
| SHA256 | fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9 |
| SHA512 | d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe
| MD5 | 5f37239d82fa00bab08d877604de6233 |
| SHA1 | 5b4a0df32e1bfc1bd16758a7a3661d18506213c6 |
| SHA256 | fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9 |
| SHA512 | d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
| MD5 | 744ec0b6b09691ec528dc493ec4f11e3 |
| SHA1 | ae7d507d9b82a6df6abd7a3569c929785a0daa83 |
| SHA256 | 258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65 |
| SHA512 | bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe
| MD5 | 744ec0b6b09691ec528dc493ec4f11e3 |
| SHA1 | ae7d507d9b82a6df6abd7a3569c929785a0daa83 |
| SHA256 | 258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65 |
| SHA512 | bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
memory/3952-28-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3952-29-0x0000000073FE0000-0x0000000074790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qe6303.exe
| MD5 | 4ff3c1b46f85564cfcb9352d1ed9ab39 |
| SHA1 | a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26 |
| SHA256 | b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8 |
| SHA512 | aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qe6303.exe
| MD5 | 4ff3c1b46f85564cfcb9352d1ed9ab39 |
| SHA1 | a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26 |
| SHA256 | b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8 |
| SHA512 | aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c |
memory/4260-33-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4260-34-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4260-35-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4260-37-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gQ74Su.exe
| MD5 | b8a942fb3fbdbf4f0ea57ee37a2763fe |
| SHA1 | ee843c5ecec2d4542ee4528e89c2614a3215cda7 |
| SHA256 | 200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe |
| SHA512 | 85f631c6c8effe106f2bb892d4e1d0da204d82352ed001228b6e954190767b7a21400f8ea5de7da1c8d0b71791ecd6465ada149fd978657519c6b77f1fd1a05f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gQ74Su.exe
| MD5 | b8a942fb3fbdbf4f0ea57ee37a2763fe |
| SHA1 | ee843c5ecec2d4542ee4528e89c2614a3215cda7 |
| SHA256 | 200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe |
| SHA512 | 85f631c6c8effe106f2bb892d4e1d0da204d82352ed001228b6e954190767b7a21400f8ea5de7da1c8d0b71791ecd6465ada149fd978657519c6b77f1fd1a05f |
memory/4624-41-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3952-42-0x0000000073FE0000-0x0000000074790000-memory.dmp
memory/4624-43-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4JM949lC.exe
| MD5 | 0313254983509a648ab46856373f5255 |
| SHA1 | 9cc351205abc23649ea8e777efbd775c350c2d96 |
| SHA256 | 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216 |
| SHA512 | 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4JM949lC.exe
| MD5 | 0313254983509a648ab46856373f5255 |
| SHA1 | 9cc351205abc23649ea8e777efbd775c350c2d96 |
| SHA256 | 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216 |
| SHA512 | 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1 |
memory/3952-48-0x0000000073FE0000-0x0000000074790000-memory.dmp
memory/3184-49-0x00000000005B0000-0x00000000005C6000-memory.dmp
memory/4624-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4652-53-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4652-55-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/4652-56-0x0000000007900000-0x0000000007EA4000-memory.dmp
memory/4652-57-0x0000000007430000-0x00000000074C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ND6kG0.exe
| MD5 | bc0187e12e173530ab25ada6970c88fc |
| SHA1 | 2c39b0ff74b096faccc4b6f3e3b1185a19941f46 |
| SHA256 | 85e9f3dac6e6713194368494e5ec0a252a3db1dad096dd343c5b62ff006b39e8 |
| SHA512 | c56851c38adabbe3474e18208d747e52dd215b5d1a0266697569df0bf1123b2fcdb50877f31112986a4bfb63707f600e65bc2c71033b8e283a1535d93b8d9fb3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ND6kG0.exe
| MD5 | bc0187e12e173530ab25ada6970c88fc |
| SHA1 | 2c39b0ff74b096faccc4b6f3e3b1185a19941f46 |
| SHA256 | 85e9f3dac6e6713194368494e5ec0a252a3db1dad096dd343c5b62ff006b39e8 |
| SHA512 | c56851c38adabbe3474e18208d747e52dd215b5d1a0266697569df0bf1123b2fcdb50877f31112986a4bfb63707f600e65bc2c71033b8e283a1535d93b8d9fb3 |
memory/4652-62-0x00000000076A0000-0x00000000076B0000-memory.dmp
memory/4652-63-0x00000000075E0000-0x00000000075EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8FE7.tmp\8FE8.tmp\8FE9.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
memory/4652-65-0x00000000084D0000-0x0000000008AE8000-memory.dmp
memory/4652-66-0x00000000077C0000-0x00000000078CA000-memory.dmp
memory/4652-67-0x00000000076D0000-0x00000000076E2000-memory.dmp
memory/4652-68-0x0000000007730000-0x000000000776C000-memory.dmp
memory/4652-69-0x0000000007770000-0x00000000077BC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3478c18dc45d5448e5beefe152c81321 |
| SHA1 | a00c4c477bbd5117dec462cd6d1899ec7a676c07 |
| SHA256 | d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23 |
| SHA512 | 8473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
\??\pipe\LOCAL\crashpad_3704_BJCKCFEIVBGYHZJP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_1080_MJEFCTZRFWVCOFVV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2b71fa83553333c00b8ccbe4a611868a |
| SHA1 | 8c05d168868cb412f5ff1a197ed65dce86666109 |
| SHA256 | 2a36a1e866229407a7734f6f4bfc56aa1d897894a1eb558fac08751baa7c826b |
| SHA512 | b1674dc5be77dc4170efd3d17a9ec4757ddcb37218c63fd71bd2e29b144d0d40d5746e1b8ae4fe3885e9c7350663ba46b311cb7f4f814a65a7267ee5c57492f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6066ba755af06bf9d532b6d9e368ee76 |
| SHA1 | 85888987ec7fa84952c42f65c40e0a5f5db6e09f |
| SHA256 | 86135f13ab6784dd120eeb6eee8cdcd658b15a09a40d4fc2a63df09302e440af |
| SHA512 | 31688ec82ba6a15534a62a0efec335bc5ee7706cd782238af504838b8fda65ac51129e84554a90fe981012fcc63df83ab4cf4752c8e4b3f1b203e8587b16594c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/4652-213-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/4652-216-0x00000000076A0000-0x00000000076B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2b71fa83553333c00b8ccbe4a611868a |
| SHA1 | 8c05d168868cb412f5ff1a197ed65dce86666109 |
| SHA256 | 2a36a1e866229407a7734f6f4bfc56aa1d897894a1eb558fac08751baa7c826b |
| SHA512 | b1674dc5be77dc4170efd3d17a9ec4757ddcb37218c63fd71bd2e29b144d0d40d5746e1b8ae4fe3885e9c7350663ba46b311cb7f4f814a65a7267ee5c57492f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 981019ae1a522eafbf7aaee6259ba7d5 |
| SHA1 | 33826a6e09a775a8a4022d4cd3df8225cda0ead2 |
| SHA256 | b17f84182d2a8ab79cb63a6740fd06f11ff56b0da7d940f29da742a0a228beaf |
| SHA512 | ccacd883f65765c12497eb190df3ec9c2b1f7f1a88f3c5087b2e1821658dab704265edee323bb81ebe9ee087cc755a9cd045a7d00e96b2a72d9016574d96d77f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bbc362b4-e76f-42d4-b0b2-7969be2fb1a6.tmp
| MD5 | a1eb601a3d998c361a179b89fa5e99ac |
| SHA1 | 636cbbda45d54a4b569a28d9efe8f5618206a3cf |
| SHA256 | 396c04c28592936a814f9470d1c67547c5c84aa52b2c89c4c7a0375b483ddde5 |
| SHA512 | 833d61ddfaf2977e555e1e29572140a0a2d7007be7c1f2dfd94542d9eb3a4654a3d2c7ff117486cc7f16977d144db864deeafe37185edbf0213f51c67c36d3b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d555d038867542dfb2fb0575a0d3174e |
| SHA1 | 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0 |
| SHA256 | 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e |
| SHA512 | d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\CF03.exe
| MD5 | 09aed0033858206fa791947adbc07e52 |
| SHA1 | c992c2ad37e54f939541ffe19e4a42c26a032880 |
| SHA256 | 49da81a852e5ac5b709183f88f7b1f6bca4a9a2638ef3cc52c9ec1bf09faab14 |
| SHA512 | ca8f559bc1fb5899be51ee0ad389584ab83e10c531986d576f764e1aa6eea83ac74d16dc436851e1a6eb21baf0bb75030075f09850ac9542fe3dc573e5a88a6a |
C:\Users\Admin\AppData\Local\Temp\CF03.exe
| MD5 | 09aed0033858206fa791947adbc07e52 |
| SHA1 | c992c2ad37e54f939541ffe19e4a42c26a032880 |
| SHA256 | 49da81a852e5ac5b709183f88f7b1f6bca4a9a2638ef3cc52c9ec1bf09faab14 |
| SHA512 | ca8f559bc1fb5899be51ee0ad389584ab83e10c531986d576f764e1aa6eea83ac74d16dc436851e1a6eb21baf0bb75030075f09850ac9542fe3dc573e5a88a6a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6CT89Bj.exe
| MD5 | e2d2f562b25c28b2a5f68caa8349ce6c |
| SHA1 | 738ace5f793f9fede89acd30b783e1af30de3e2b |
| SHA256 | b7e4a83dcdf8497a92bf06d0c038a66b52b501f5bab094db1ec5e7e0a6993905 |
| SHA512 | ed55928c79d00fe879b55eec7eaa3191606b4d48f05eb223250ab3c6bfbbe46b5072493cf32456c01fb4911351971773888c10c50ad4960f8823f32404362d61 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq6ag9tV.exe
| MD5 | 69cec3242b4419ddbe8b7331ce47d674 |
| SHA1 | 8d616a29c65065d0aa5a2375a1bf3ec313bf5cfb |
| SHA256 | e1413549c4c3047b54599317ff5947f5f835ed480751b7457b4a2f8230dcd02b |
| SHA512 | 4fad4f9c740e812aca2942b04604d09592bdd4b27ececf822d462ff0cfbaa8ccdfd77137434a6322258f06ce27e9be7eb1a898860b3832295e8e4930ec66ab7b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq6ag9tV.exe
| MD5 | 69cec3242b4419ddbe8b7331ce47d674 |
| SHA1 | 8d616a29c65065d0aa5a2375a1bf3ec313bf5cfb |
| SHA256 | e1413549c4c3047b54599317ff5947f5f835ed480751b7457b4a2f8230dcd02b |
| SHA512 | 4fad4f9c740e812aca2942b04604d09592bdd4b27ececf822d462ff0cfbaa8ccdfd77137434a6322258f06ce27e9be7eb1a898860b3832295e8e4930ec66ab7b |
C:\Users\Admin\AppData\Local\Temp\D0F8.exe
| MD5 | 19477110aa849bd70f20614b555876eb |
| SHA1 | e8c97d0945742ac3b123e4d41d11370473819798 |
| SHA256 | b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f |
| SHA512 | 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lh9ar3Fc.exe
| MD5 | 14c325e5538e25656398eae1f50bd9c1 |
| SHA1 | d007f4af62a25cc43917744219073ee84d6ea5dc |
| SHA256 | d639d091c591efa9604b7687e26f23955f3dd10bf3a2320b11cb6649a134742d |
| SHA512 | caf0add07446750fdcbc34fbca88ba0efb54ce87793adaf570ef218d6ed898d767e9e6e70eec0d8ae46b25bba4c85f8b24002fc7021696755ce48f914f17c55b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lh9ar3Fc.exe
| MD5 | 14c325e5538e25656398eae1f50bd9c1 |
| SHA1 | d007f4af62a25cc43917744219073ee84d6ea5dc |
| SHA256 | d639d091c591efa9604b7687e26f23955f3dd10bf3a2320b11cb6649a134742d |
| SHA512 | caf0add07446750fdcbc34fbca88ba0efb54ce87793adaf570ef218d6ed898d767e9e6e70eec0d8ae46b25bba4c85f8b24002fc7021696755ce48f914f17c55b |
C:\Users\Admin\AppData\Local\Temp\D0F8.exe
| MD5 | 19477110aa849bd70f20614b555876eb |
| SHA1 | e8c97d0945742ac3b123e4d41d11370473819798 |
| SHA256 | b01b105c170f1a886ab90dd1d96ccabdff92ab4635e470d95c488d5f0194836f |
| SHA512 | 44138fa8f621f436337b3a1c8cee7a447239ea057ea92d7ae98dd75b549b9507721da32a5846d42528e8538128f56fbe64cb9e7b23efd9971e551197edcadd34 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\PF8Hi7lQ.exe
| MD5 | 2bf5d94ba4975a26de24cd34827f3f7b |
| SHA1 | 5bc751b88465101cd9fd893f5bfe37bcaaf2467d |
| SHA256 | f6bf32dd9fdcd08bf16dcb7cdfd5e3f0680baae1966b67ccc4bc9762f9d7d6b4 |
| SHA512 | 7a1ca5a463aa2445f5c35985ea9ba0bc007c1e40a014860a53b02e4ef517c98e6e867ea8a018cdb802b03929416cfe7fcd97a8839687b7a0541da0ae8fa9828e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\PF8Hi7lQ.exe
| MD5 | 2bf5d94ba4975a26de24cd34827f3f7b |
| SHA1 | 5bc751b88465101cd9fd893f5bfe37bcaaf2467d |
| SHA256 | f6bf32dd9fdcd08bf16dcb7cdfd5e3f0680baae1966b67ccc4bc9762f9d7d6b4 |
| SHA512 | 7a1ca5a463aa2445f5c35985ea9ba0bc007c1e40a014860a53b02e4ef517c98e6e867ea8a018cdb802b03929416cfe7fcd97a8839687b7a0541da0ae8fa9828e |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kb5Sm3Lc.exe
| MD5 | 3c366fb681a9e7841ef928477def8b28 |
| SHA1 | d0589660c0d96d5c087c4da340cbed2745b08780 |
| SHA256 | 966a59c9baf6346bbc38102cc6aee2cb81bfe860d0fd4598db2ae233929b273a |
| SHA512 | 9664d7ed193b691d525406a47ec3f3e7da1ad66b1d8f48422977caabf2064b6e8a9a9958f33e9696c2c0a9edc0cb212bd15c942723e2d4822f6dae393a6a89ac |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kb5Sm3Lc.exe
| MD5 | 3c366fb681a9e7841ef928477def8b28 |
| SHA1 | d0589660c0d96d5c087c4da340cbed2745b08780 |
| SHA256 | 966a59c9baf6346bbc38102cc6aee2cb81bfe860d0fd4598db2ae233929b273a |
| SHA512 | 9664d7ed193b691d525406a47ec3f3e7da1ad66b1d8f48422977caabf2064b6e8a9a9958f33e9696c2c0a9edc0cb212bd15c942723e2d4822f6dae393a6a89ac |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1zh03sw3.exe
| MD5 | 4ff3c1b46f85564cfcb9352d1ed9ab39 |
| SHA1 | a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26 |
| SHA256 | b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8 |
| SHA512 | aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1zh03sw3.exe
| MD5 | 4ff3c1b46f85564cfcb9352d1ed9ab39 |
| SHA1 | a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26 |
| SHA256 | b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8 |
| SHA512 | aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c |
C:\Users\Admin\AppData\Local\Temp\D649.exe
| MD5 | 0313254983509a648ab46856373f5255 |
| SHA1 | 9cc351205abc23649ea8e777efbd775c350c2d96 |
| SHA256 | 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216 |
| SHA512 | 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1 |
C:\Users\Admin\AppData\Local\Temp\D649.exe
| MD5 | 0313254983509a648ab46856373f5255 |
| SHA1 | 9cc351205abc23649ea8e777efbd775c350c2d96 |
| SHA256 | 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216 |
| SHA512 | 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1 |
C:\Users\Admin\AppData\Local\Temp\D232.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1zh03sw3.exe
| MD5 | 4ff3c1b46f85564cfcb9352d1ed9ab39 |
| SHA1 | a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26 |
| SHA256 | b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8 |
| SHA512 | aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c |
C:\Users\Admin\AppData\Local\Temp\D744.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/5160-305-0x0000000000FD0000-0x0000000000FDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D744.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\D649.exe
| MD5 | 0313254983509a648ab46856373f5255 |
| SHA1 | 9cc351205abc23649ea8e777efbd775c350c2d96 |
| SHA256 | 73d33c92149258bbfe41d9078bff30f08e1674b610d9a3223f6efcc103c11216 |
| SHA512 | 27a4fde00665fdbac4ab3d8d0b58708a00cbfd638d2ae58f1a384e0374af5fd23e9213e055a2c0653ad1e1fafe369b20029d8b24c987a3070d8d91c90235b5f1 |
memory/5160-307-0x00007FF9ECEF0000-0x00007FF9ED9B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA91.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\DA91.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\DE3C.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\DE3C.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\E215.exe
| MD5 | 37e45af2d4bf5e9166d4db98dcc4a2be |
| SHA1 | 9e08985f441deb096303d11e26f8d80a23de0751 |
| SHA256 | 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca |
| SHA512 | 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6e1b1e1a4ad56f67551f892e33abe867 |
| SHA1 | 7125086c036c69e0c062f9d00b03127a94f98a3c |
| SHA256 | 1c56acc4a159eaea03afbf36df37b23807b1344a95b7038f10b67b0ab94547d6 |
| SHA512 | eb31fed101397d7f61aaebcef6a8bb09a7cbcfb73e6d388f106b8c9c218004858ed6c48fcb35ec7ca2eebc2daf62ae18f03f02dba9f0a31ad17a21e632aec4a1 |
C:\Users\Admin\AppData\Local\Temp\E41A.exe
| MD5 | 1199c88022b133b321ed8e9c5f4e6739 |
| SHA1 | 8e5668edc9b4e1f15c936e68b59c84e165c9cb07 |
| SHA256 | e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836 |
| SHA512 | 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697 |
memory/5508-349-0x0000000000CC0000-0x0000000000CDE000-memory.dmp
memory/5508-354-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/5408-352-0x0000000001FB0000-0x000000000200A000-memory.dmp
memory/5788-356-0x0000000000750000-0x00000000008A8000-memory.dmp
memory/5408-358-0x0000000000400000-0x000000000046F000-memory.dmp
memory/5508-364-0x0000000005560000-0x0000000005570000-memory.dmp
memory/5408-362-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/6052-367-0x0000000000D60000-0x0000000000DBA000-memory.dmp
memory/6052-368-0x0000000073BC0000-0x0000000074370000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cc70a2b6c9fcb91520324236fc436df8 |
| SHA1 | 0bb5985fd79f4b765ba68ed60ce3b21ea49538fd |
| SHA256 | c3e567701fa5745053f382468b6797a49e643afbadc4ee9ebd3cc347477b74e3 |
| SHA512 | 2cb8421b028a1b5233ef5f13023cf187bed702cbd46f3a14996c0c4f665f0dd758e2a941a8c25e5660b1932be532abb2c986337b66a9163cb714b1cc3b39cb40 |
memory/5976-433-0x00000000020B0000-0x000000000210A000-memory.dmp
memory/5160-445-0x00007FF9ECEF0000-0x00007FF9ED9B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1e7b45a6e084ee7cae6bcd5a967f85f0 |
| SHA1 | 56a28ac0bc2f357ed5d8a24609e188b7c7471a84 |
| SHA256 | 14aa4d38f74bd3287670800d601ec2ee4fcdf927ad211302aeb3e9ca28dd31c8 |
| SHA512 | b1439989ad4e4e1403137e09c19f04729de0d3479720f3050af0cb5350a94b1d9d725f318d3607bd31f2d08cc561c9a2a4e56cee18fdf516ff6df57b0827055c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590824.TMP
| MD5 | c33801562d227f12581a655e95ddb3b9 |
| SHA1 | 4985820ce717bbe9b9fe27fd983d090189b917f0 |
| SHA256 | 9fcf49d43534aa589c32221e8b95147bd43922ee3227f6e63b0b4f1a262ee905 |
| SHA512 | a47604b01006aa4ecdfd36f186776e808ba2c28c34cb2e977a6a45327c8e4c7b32d691fff05529732d9e87e71087b0044f20567ab38000875758f20b1f86e9c0 |
memory/6052-456-0x0000000008730000-0x0000000008796000-memory.dmp
memory/5228-459-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5788-483-0x0000000000750000-0x00000000008A8000-memory.dmp
memory/5228-500-0x0000000007550000-0x0000000007560000-memory.dmp
memory/6032-499-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6032-501-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6052-505-0x0000000007C90000-0x0000000007CA0000-memory.dmp
memory/6032-507-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5796-509-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5228-510-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/5796-517-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2D82.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp2D98.tmp
| MD5 | 188ab93f5f227894c0c70713b1a7b3ef |
| SHA1 | 6328e8525c50e75a90cd0ba814283a839c71a2de |
| SHA256 | 41448a0c25799fadca5ecb71643c151f0344615b0ea22ea9135fd529dddba712 |
| SHA512 | c94051c67fb5904f7347c828c66f22553e9d9e384f4564fa5a39d688718de69893c29306fb1e11ad410a5f2d6b32e598bd08bef5b3655603f5faca2c5e55aabf |
C:\Users\Admin\AppData\Local\Temp\tmp2E55.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp2ECE.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/5796-653-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5508-602-0x0000000006AD0000-0x0000000006B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2D09.tmp
| MD5 | 8395952fd7f884ddb74e81045da7a35e |
| SHA1 | f0f7f233824600f49147252374bc4cdfab3594b9 |
| SHA256 | 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58 |
| SHA512 | ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd |
C:\Users\Admin\AppData\Local\Temp\tmp2C28.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
memory/5796-506-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5976-508-0x0000000000400000-0x000000000046F000-memory.dmp
memory/5508-504-0x0000000007240000-0x000000000776C000-memory.dmp
memory/5508-498-0x0000000006B40000-0x0000000006D02000-memory.dmp
memory/6052-667-0x0000000009CB0000-0x0000000009D26000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5fe0880392099178eda64a6ed8cc2fa6 |
| SHA1 | 66144ed42596aaa07111be67c6d174361ad6a22c |
| SHA256 | 90039441a19737477a9a1ca9c2cae6937bd59b40bcecf1999a8af4f7266a2d27 |
| SHA512 | c88437256f497f5e4847c9102cb636378ebaac190bffc5811966b2f52c581d81e9dd6b3c86efcdb97c3c9dc7c7d3c1d6886ab89b08cd494213246b3e2bc90dfb |
memory/5408-674-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/6052-672-0x0000000009C70000-0x0000000009C8E000-memory.dmp
memory/1256-677-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/4772-676-0x0000000000BF0000-0x0000000000C2E000-memory.dmp
memory/4772-704-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/5508-705-0x0000000073BC0000-0x0000000074370000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 97fd26773403c1705bf475b585ca43cc |
| SHA1 | 193c34d21433e3fbee48ca91172192f34f48b89e |
| SHA256 | ba6baf7abc36d24ecf89600a7303fef1c8fb179bb3e857f3361e12fa352bd416 |
| SHA512 | 36fd511414c4f2cb8cf3c755556391cc7ae565538df12de7014a60e6f1f8db02f39104adc83a902ce384414874320c46e80a1188fea4faf6995028c0ff93660d |
memory/1256-725-0x0000000007530000-0x0000000007540000-memory.dmp
memory/4772-724-0x0000000007B80000-0x0000000007B90000-memory.dmp
memory/5508-736-0x0000000005560000-0x0000000005570000-memory.dmp
memory/6052-763-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/5228-766-0x0000000007550000-0x0000000007560000-memory.dmp
memory/6052-769-0x0000000007C90000-0x0000000007CA0000-memory.dmp
memory/5228-777-0x0000000073BC0000-0x0000000074370000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 249a04257f65332d708341688527829c |
| SHA1 | 7ae89afba53c43bd2036bf9c7c3eb17f1d8ed1b0 |
| SHA256 | 889d8728b0ab2574fef0dcc7d69d759997d948d43af7d5d1fba67e0f2660a301 |
| SHA512 | 2cb47fb3693014de7fe0ec364c0fb3c6387c92db2e3eab3f0e5045217e96a683b8a95b075e9be5e7d89b3cc5197572f8d61ee6cd58204367477cfdfefc53cae4 |
memory/5508-797-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/6052-802-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/1256-803-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/4772-804-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/4772-805-0x0000000007B80000-0x0000000007B90000-memory.dmp
memory/5228-807-0x0000000073BC0000-0x0000000074370000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b02b00f2ffe5208a61373c23cea290ff |
| SHA1 | 80e7ad70e4e0a6975265dcf8a1bdd810a91b8aec |
| SHA256 | 9f74c30b107917fa3113f6669c44d2e3ee844eb6ac68c575b3e9a138932d1bc9 |
| SHA512 | 218cd88e6723e9aa61582d02f05b7d48f3cab6e70a732c37b90ee7f5257d2f26b7746e520fb0a4b41fdb4f36d47fe552ad53923ecd1ae502e62e0e25182a2f57 |
memory/1256-817-0x0000000007530000-0x0000000007540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e8370241-e7ed-4305-88af-f3fe76119c89.tmp
| MD5 | 8e1a71b3fe3b88b6146f20cd807cf32b |
| SHA1 | f5ea31ea5489a6b5d0f1e3d9b7940ed2fabec385 |
| SHA256 | ebd9cde80442a7cd8a97adc7ae431652446ea2dd0197a93b336a90ee9422000a |
| SHA512 | 537af347db978522f52707e00b1fd9ba1fa168f167d9c38dc490cfbbacec9258132c9b89149cb1af190de37748dde0afc7ca4747db6c82379b3502c07ebedb5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 67c3efb263d8047feb2bd9bb499c46d4 |
| SHA1 | e6505c91b3a6922eeb7504f6a06c06a4ff0ac28f |
| SHA256 | 7df5173f50c8d69b5891e07199f50eaf3e1c83ebc0418893edb2df96e786375a |
| SHA512 | b79812429f0fd00847d9b87e0025fa1313b0338554c0f8f3ba9b477c212198dc0f561ff4ac74bc33893bd07bd11a00b5f6bee85e6bfb0b06ce5e9968a12a5318 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d1094c1150518d35db28fdba338e45ce |
| SHA1 | 5f11da21f0e216c6bb9d029a02fa27fd85f6cb53 |
| SHA256 | 5e982329fd5f501aecb31727c01ed0ab808ea51962e4b0acb15a6b59794429b0 |
| SHA512 | 0c000e012d915be898105bd20019275a9ec3c7884e9c0f2ecf0b91f2956be75d57585a4431176593f949299a96ceed8d8ee0eae8eec00b7c0195bcc3f228492c |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 86d1a99200a8af6a4d32ba1ea2f08e28 |
| SHA1 | dc24407dfca3406d792b22736ed04fe16342ce2a |
| SHA256 | 19af6cb751beb357799f2c2afcd8c7f0c87a596bbd1e0112030bce207c302fa3 |
| SHA512 | b940e464ff34bdb05614f56389879e6eb6cb4eb1fd56e1403acf68d154632cc62b3eb654a8140a918ab85d2a4ed4b2156243b02da8ac5a7c11c070df935b4b27 |