Malware Analysis Report

2025-08-10 23:42

Sample ID 231012-sch93shb85
Target file
SHA256 a1991359a4031e2dd5d238748184212ff2c7c8b51848dbdcd35b762787f1aae5
Tags
evasion persistence trojan amadey dcrat healer redline sectoprat smokeloader @ytlogsbot breha kukish pixelscloud backdoor microsoft discovery dropper infostealer phishing rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1991359a4031e2dd5d238748184212ff2c7c8b51848dbdcd35b762787f1aae5

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan amadey dcrat healer redline sectoprat smokeloader @ytlogsbot breha kukish pixelscloud backdoor microsoft discovery dropper infostealer phishing rat spyware stealer

DcRat

SmokeLoader

Healer

SectopRAT payload

RedLine payload

SectopRAT

Modifies Windows Defender Real-time Protection settings

Amadey

Detects Healer an antivirus disabler dropper

RedLine

Downloads MZ/PE file

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 14:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 14:58

Reported

2023-10-12 15:01

Platform

win7-20230831-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2440 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2980 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2612 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 272

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

MD5 0c572fbe41cbb0572c8800f24702de24
SHA1 78fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256 fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA512 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

MD5 0c572fbe41cbb0572c8800f24702de24
SHA1 78fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256 fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA512 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

MD5 0c572fbe41cbb0572c8800f24702de24
SHA1 78fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256 fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA512 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

MD5 0c572fbe41cbb0572c8800f24702de24
SHA1 78fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256 fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA512 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

MD5 9f326be1d6b50927040011f3a65a0ef6
SHA1 439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA256 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA512 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

MD5 9f326be1d6b50927040011f3a65a0ef6
SHA1 439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA256 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA512 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

MD5 9f326be1d6b50927040011f3a65a0ef6
SHA1 439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA256 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA512 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

MD5 9f326be1d6b50927040011f3a65a0ef6
SHA1 439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA256 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA512 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

MD5 2a2c3dcda47bdfbeed60f4d14c72bc38
SHA1 5648dc8b940ba0f0f732c507a169425c8f7783fe
SHA256 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA512 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

MD5 2a2c3dcda47bdfbeed60f4d14c72bc38
SHA1 5648dc8b940ba0f0f732c507a169425c8f7783fe
SHA256 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA512 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

MD5 2a2c3dcda47bdfbeed60f4d14c72bc38
SHA1 5648dc8b940ba0f0f732c507a169425c8f7783fe
SHA256 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA512 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

MD5 2a2c3dcda47bdfbeed60f4d14c72bc38
SHA1 5648dc8b940ba0f0f732c507a169425c8f7783fe
SHA256 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA512 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

memory/2680-40-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2680-41-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2680-42-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2680-44-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2680-43-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2680-45-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2680-49-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2680-47-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 14:58

Reported

2023-10-12 15:01

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\884A.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8FBE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7A7A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7EF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8FBE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A00B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A4BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD9A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B134.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B2CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BD3D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Yu966Qp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A00B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A00B.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\884A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7A7A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\884A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8FBE.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 4112 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 4112 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
PID 3548 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 3548 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 3548 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
PID 4632 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 4632 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 4632 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
PID 2224 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 2224 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 2224 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2224 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
PID 2224 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
PID 2224 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
PID 4520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4520 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
PID 4632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
PID 4632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
PID 3524 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3548 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
PID 3548 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
PID 3548 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe
PID 4112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3164 -ip 3164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 568

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2A95.tmp\2AA6.tmp\2AA7.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10362367851698089241,16809530312321572622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10362367851698089241,16809530312321572622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\7A7A.exe

C:\Users\Admin\AppData\Local\Temp\7A7A.exe

C:\Users\Admin\AppData\Local\Temp\7EF0.exe

C:\Users\Admin\AppData\Local\Temp\7EF0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\828B.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe

C:\Users\Admin\AppData\Local\Temp\85C8.exe

C:\Users\Admin\AppData\Local\Temp\85C8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe

C:\Users\Admin\AppData\Local\Temp\884A.exe

C:\Users\Admin\AppData\Local\Temp\884A.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\8B0A.exe

C:\Users\Admin\AppData\Local\Temp\8B0A.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718

C:\Users\Admin\AppData\Local\Temp\8FBE.exe

C:\Users\Admin\AppData\Local\Temp\8FBE.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\A00B.exe

C:\Users\Admin\AppData\Local\Temp\A00B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\A4BF.exe

C:\Users\Admin\AppData\Local\Temp\A4BF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 268

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\AD9A.exe

C:\Users\Admin\AppData\Local\Temp\AD9A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5580 -ip 5580

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\B134.exe

C:\Users\Admin\AppData\Local\Temp\B134.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 792

C:\Users\Admin\AppData\Local\Temp\B2CC.exe

C:\Users\Admin\AppData\Local\Temp\B2CC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5588 -ip 5588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4236 -ip 4236

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\BD3D.exe

C:\Users\Admin\AppData\Local\Temp\BD3D.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Yu966Qp.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Yu966Qp.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B134.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B134.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 api.ip.sb udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 52.210.125.129:443 mscom.demdex.net tcp
US 8.8.8.8:53 129.125.210.52.in-addr.arpa udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.73.25:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 20.42.73.25:443 browser.events.data.microsoft.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

MD5 0c572fbe41cbb0572c8800f24702de24
SHA1 78fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256 fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA512 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

MD5 0c572fbe41cbb0572c8800f24702de24
SHA1 78fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256 fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA512 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

MD5 9f326be1d6b50927040011f3a65a0ef6
SHA1 439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA256 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA512 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

MD5 9f326be1d6b50927040011f3a65a0ef6
SHA1 439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA256 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA512 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

MD5 2a2c3dcda47bdfbeed60f4d14c72bc38
SHA1 5648dc8b940ba0f0f732c507a169425c8f7783fe
SHA256 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA512 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

MD5 2a2c3dcda47bdfbeed60f4d14c72bc38
SHA1 5648dc8b940ba0f0f732c507a169425c8f7783fe
SHA256 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA512 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

MD5 3ff825411b1fe07e712a5dcae34f80eb
SHA1 e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA256 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

memory/3172-28-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3172-29-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/3172-30-0x0000000073C10000-0x00000000743C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

memory/4600-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4600-35-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4600-36-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4600-38-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe

MD5 fd06b98da4a84630b88bf94723239636
SHA1 ce781503f76b748c327ece62600d0aedb97fc899
SHA256 5494c36ef10edc6023587cc455e845c27d721be80377ce89110d8f8afec9fac9
SHA512 4f7c92718f4d33b6e0be90cd4a3dd3f30042d414fedf03a6ec5783181274c5d39aef56a4f4f8d3fd55eb92f9b6d60d14ec229f773875ce5a6102b87bbbb3187d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe

MD5 fd06b98da4a84630b88bf94723239636
SHA1 ce781503f76b748c327ece62600d0aedb97fc899
SHA256 5494c36ef10edc6023587cc455e845c27d721be80377ce89110d8f8afec9fac9
SHA512 4f7c92718f4d33b6e0be90cd4a3dd3f30042d414fedf03a6ec5783181274c5d39aef56a4f4f8d3fd55eb92f9b6d60d14ec229f773875ce5a6102b87bbbb3187d

memory/4736-42-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4736-43-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

memory/3172-48-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/3132-49-0x0000000001340000-0x0000000001356000-memory.dmp

memory/4736-51-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4472-53-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4472-55-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/4472-56-0x0000000007780000-0x0000000007D24000-memory.dmp

memory/4472-57-0x00000000072B0000-0x0000000007342000-memory.dmp

memory/4472-58-0x0000000007220000-0x0000000007230000-memory.dmp

memory/4472-59-0x0000000007350000-0x000000000735A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe

MD5 651458a449a6c9001b730a58952eb429
SHA1 cda93b012624afa18bd2e358aacd51651f516724
SHA256 af05fcf4482e848d1fa04013077e3c6d251735a4c3ddbec9f1437a95fac21eee
SHA512 f6c97cd7c068ddb9de1a7134efd71725a78b9c4ea7847241262ef40f581487d85df5c70ad666b87a567cc231c5bc6fd40910dacba703d5bb6744f6a7c8f2b183

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe

MD5 651458a449a6c9001b730a58952eb429
SHA1 cda93b012624afa18bd2e358aacd51651f516724
SHA256 af05fcf4482e848d1fa04013077e3c6d251735a4c3ddbec9f1437a95fac21eee
SHA512 f6c97cd7c068ddb9de1a7134efd71725a78b9c4ea7847241262ef40f581487d85df5c70ad666b87a567cc231c5bc6fd40910dacba703d5bb6744f6a7c8f2b183

memory/4472-64-0x0000000008350000-0x0000000008968000-memory.dmp

memory/4472-65-0x0000000007630000-0x000000000773A000-memory.dmp

memory/4472-66-0x0000000007520000-0x0000000007532000-memory.dmp

memory/4472-67-0x0000000007580000-0x00000000075BC000-memory.dmp

memory/4472-68-0x00000000075C0000-0x000000000760C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A95.tmp\2AA6.tmp\2AA7.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_1120_UKAKQCMKAKBEVZUI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2056_HJAHYOOTCKRCCKPS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 93ad3867d187a850c0e68bdff832a17a
SHA1 e5c30c700a37a8c935afb35a02d249e795024804
SHA256 104e453895cba02be39355a155bbd09e996a30c3b9a7196240d53752a3dee26c
SHA512 fc5a600bc541b11ed15d7dc8b5eb56d199b5baf19e90490cc2ffee4124f67c750b47816b9653a87ea8e276788efdfea7b2255c9cc855ea3ba6f7f4af737c978a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 76e2e9b11f5ef76b67f3151684c0337b
SHA1 545a0eaca19f875bd94546e3543bff25d40fe414
SHA256 1e06bf2573a5ba2f775bcb4953cc33dbc0a3dcc0741fef2a050bdce01cece8e8
SHA512 49789f1e8c11a7a58e5d0691e46759a4e983f1309e1dd7cf71cbe75b872865ccddce192e33c8f12ab41c3d5dc4a0e8b312c45db6ec69a2a9db285bc295475a63

memory/4472-126-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/4472-129-0x0000000007220000-0x0000000007230000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 50f5e7ae8e064a22a44c8e938641ba28
SHA1 20ff43a701419e12693e8662bed1bf7e8545cb08
SHA256 ad65866bf14ec46820959c0b097095d0a509e9dbe1eb51230d36585a0c28a639
SHA512 eacccd95a634b4a55be8faca8acb6a38c7e28c2ab08abdf2c1e75836e98352cbfbda7780dbbf6d6a9ec5c4e0505a9a003780ad621ed222df2598adb8ff1969e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 93ad3867d187a850c0e68bdff832a17a
SHA1 e5c30c700a37a8c935afb35a02d249e795024804
SHA256 104e453895cba02be39355a155bbd09e996a30c3b9a7196240d53752a3dee26c
SHA512 fc5a600bc541b11ed15d7dc8b5eb56d199b5baf19e90490cc2ffee4124f67c750b47816b9653a87ea8e276788efdfea7b2255c9cc855ea3ba6f7f4af737c978a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 beb55ba0be51447e0d07e8c83f1c65ff
SHA1 9358f80b4a2335de8ca2aef276f14ec0bcfc50be
SHA256 8833d99e1bf0330c60f17fab341c7635d3ef16cbad940907b33a2b01b97361c3
SHA512 b3cf2ea84f83a0fbee612cc8d3514f8781a447dbe9ec43026f77cdf592158618ce85bb0fcd267f514ca45251de78dd0e28eab4f1c3c1c09402eca06e82d527cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\7A7A.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\7A7A.exe

MD5 c36b3237039a0094f563964364f50e24
SHA1 61d903e1f4667e9e2565e5c50c6dbe9976f45282
SHA256 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a
SHA512 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ZB00wv.exe

MD5 78e10343ad8e8a315c6c59473eeb1f94
SHA1 5e2669b4ed295fd0b780270c02050ca03dadbee9
SHA256 6f02bcabda63effbbe30db77c4d1d5442230168b5399ade26377b63d827f4f39
SHA512 c83287516a6fb03c09886d459c20501ea8eb19eba216adccee869f24564e94ee2777bbf428b6a591e77db8c3e8bd0935a08916c5303fcaf4716b83009226ef01

C:\Users\Admin\AppData\Local\Temp\7EF0.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\7EF0.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe

MD5 264645e6949faa6016f9b985467c88ea
SHA1 efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e
SHA256 aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517
SHA512 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96

C:\Users\Admin\AppData\Local\Temp\7EF0.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\828B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4995cb306cc2f734b84b528ae96907ea
SHA1 07bef35172146a9bf25a687ff9f9189f76663d59
SHA256 b31131f495402b4a95f313299c9de0a3aa07a23879c37cc588a039a5945c4101
SHA512 9d6d3f1f10a8b15e3fa5aeb6e4af572123de61320988be8f05e3cc9ec40bcf4767ce30f2d78c34bb7680559831fca0708a9ce412e2ba0b9dd0c642d60e516198

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DS906yG.exe

MD5 18608c03b561edad4fe5e8d229c6920f
SHA1 686c4e9cf88c32259ad8476d732bb2f8a11bc47d
SHA256 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e
SHA512 c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe

MD5 9fe34a518445397968659dce6da60c18
SHA1 52eae1b19718ca1357bf9c6466e22947a77c1930
SHA256 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb
SHA512 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe

MD5 ad9fff6459a8fc45d5422347648c4a5f
SHA1 c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf
SHA256 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c
SHA512 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a

C:\Users\Admin\AppData\Local\Temp\85C8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe

MD5 0bbb36ddd1e4621672f2ef69da9105e5
SHA1 fa6a570e0a934e9f91e4689ea31560dfa99f3c84
SHA256 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d
SHA512 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0

C:\Users\Admin\AppData\Local\Temp\85C8.exe

MD5 a410f2978782614af3d5e20abf2f3ac9
SHA1 bbbfd08cf58add22f347b217b2a69be389aaf24c
SHA256 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab
SHA512 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

memory/3396-327-0x0000000000B40000-0x0000000000B4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\884A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\884A.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3396-329-0x00007FFEFFC90000-0x00007FFF00751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe

MD5 c744cde6a13370a7d6c1c0081899275c
SHA1 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955
SHA256 eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f
SHA512 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb

C:\Users\Admin\AppData\Local\Temp\8B0A.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\8B0A.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\8FBE.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\8FBE.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8a3f5ef6567cbad6524e58b45ef71bdb
SHA1 3291159057c792181230d09b1cf0dc7dea3f6428
SHA256 8091d39f22a4f434a3a38f4bff867d7b431c2fde9fb8be861b992c8cbc9b0c9f
SHA512 29da2c7797cde0cf7cef2fe3bf1b16002f5bd4bd0eadc7cbbf504e63ef36405dd2ef779f7dac259a9b50c6692c1d839f25203dac52fda3248ecaa81ce4e11e2b

memory/5644-392-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5644-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5644-399-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/5692-412-0x00000000004B0000-0x00000000004CE000-memory.dmp

memory/5580-413-0x0000000001FB0000-0x000000000200A000-memory.dmp

memory/5644-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5692-416-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5580-418-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3396-420-0x00007FFEFFC90000-0x00007FFF00751000-memory.dmp

memory/5580-423-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5692-427-0x0000000004E30000-0x0000000004E40000-memory.dmp

memory/6060-429-0x0000000000CB0000-0x0000000000E08000-memory.dmp

memory/1480-444-0x00000000003E0000-0x000000000043A000-memory.dmp

memory/1480-445-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/1480-453-0x0000000007400000-0x0000000007410000-memory.dmp

memory/5588-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5588-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5588-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3396-459-0x00007FFEFFC90000-0x00007FFF00751000-memory.dmp

memory/5216-464-0x00000000020A0000-0x00000000020FA000-memory.dmp

memory/5216-463-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5340-470-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5340-471-0x0000000007A00000-0x0000000007A10000-memory.dmp

memory/5692-472-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/6060-473-0x0000000000CB0000-0x0000000000E08000-memory.dmp

memory/5364-492-0x0000000000500000-0x000000000053E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 16812704dbd0def9f58283d4c2f0deb6
SHA1 f88b50d46745241a111a9a8537825d0768bf7cd8
SHA256 5856e8024218d52b37109bd2fc8d649fe9032e7204c4497e957b1c40ece19f9a
SHA512 0a33e7471fcd0c79f441a9c804f045fae99fd273eee6a7743ee6b6db99c65418f326abe0ccd883632f88445a883e88e7521d604f7d346516d84c7094507150fb

memory/1480-515-0x0000000007D70000-0x0000000007DD6000-memory.dmp

memory/5692-516-0x0000000004E30000-0x0000000004E40000-memory.dmp

memory/5364-517-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/6060-518-0x0000000000CB0000-0x0000000000E08000-memory.dmp

memory/5364-525-0x0000000007380000-0x0000000007390000-memory.dmp

memory/1480-526-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/3636-532-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/3636-533-0x0000000000FC0000-0x0000000000FFE000-memory.dmp

memory/1480-534-0x0000000007400000-0x0000000007410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4bc772202d472144f4f8ee314baa112f
SHA1 8f53ecf24a9e8595553f7c98d5df5125f506f1c9
SHA256 5b91c8837101a4fa187164c6e12a24ae897f33f28814faa89e1608bff050e7a6
SHA512 6b9f91d1df2a258653aa64e1539989ac1fcf775d9d56055ffa4e7316f14498ddd641435fce92a9aea05bf195f4cd9c21a4f0edf35e09b8b8c48acca53b22ad5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d210.TMP

MD5 46450159e3661135b1cd42c98d68837a
SHA1 c4b19b17662c6c51091028034af74ffea2154a5a
SHA256 40512f2ec7a13fe6bce37555704dc6feca3e07437c9ba49a73cb74e413c6fa8a
SHA512 7823c68576d68e1073f9e04c3e509399193055ce83afa40c9861e4b27000e257d1990dd2346598a57b6009e398055072e80e823f675793210324c8d41d42691f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0547cf278c894d4685836612b55a1042
SHA1 8cd91e8d27ecad7e9f6958e83a42e5c9f26c5a5b
SHA256 d397895c38732ebeb7bc16913543cfbe16d7338117f3855e36a3c3a54ccff84f
SHA512 d8965d0a73c4cef509c74d2653cce67f5cd1ccc46516fd5762bee49ae13d196f28380548268b702055bd5446b4796585797c2033c907c9118a1afde76937653d

memory/5340-573-0x0000000073770000-0x0000000073F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8299f0974bb410195802602f5d414a6a
SHA1 4be0dacbf2b6f7aabd85ef5a008121037fd584ce
SHA256 ad6803f4e31833b4837b48345c54d245b32772512b6e07f0e319d7eedabf67b0
SHA512 fa8e038a4e415ea3e913441e9709ac9ea97dcad3a149520a6abe2d2ec4f18b268665c9c7ba339f60cc1b732c392aa12eadca295c17dac50e40c545b7b9c253bc

memory/5580-586-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5340-589-0x0000000007A00000-0x0000000007A10000-memory.dmp

memory/4516-613-0x00007FF651930000-0x00007FF651C2F000-memory.dmp

memory/5364-614-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5364-615-0x0000000009AB0000-0x0000000009B00000-memory.dmp

memory/5364-616-0x0000000007380000-0x0000000007390000-memory.dmp

memory/5832-617-0x0000000000910000-0x0000000000943000-memory.dmp

memory/4516-618-0x00007FF651930000-0x00007FF651C2F000-memory.dmp

memory/5832-619-0x0000000000910000-0x0000000000943000-memory.dmp

memory/5832-620-0x0000000000910000-0x0000000000943000-memory.dmp

memory/3636-621-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5832-622-0x0000000000910000-0x0000000000943000-memory.dmp

memory/5832-623-0x0000000000910000-0x0000000000943000-memory.dmp

memory/5364-624-0x00000000060A0000-0x0000000006262000-memory.dmp

memory/5364-625-0x00000000069A0000-0x0000000006ECC000-memory.dmp

memory/3636-626-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0128126492738a792a555174950e23dc
SHA1 c20ab1a12f1b885ff53cd2d7ec725bacd5a21a31
SHA256 e562473efdb36225e1324177ae361bb2690b0d6908fc13686f98a03d4c5fdb10
SHA512 77002292756ae058ef52ea7597d14219e1164b70b636f76ada8613e0c90f22fc7899d049fcb103e1177608682547012b15020401dbd0c6957fac7b425c4905ed

memory/1480-636-0x00000000094D0000-0x0000000009546000-memory.dmp

memory/5364-647-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/1480-648-0x0000000009330000-0x000000000934E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp391.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp3C6.tmp

MD5 6e98ae51f6cacb49a7830bede7ab9920
SHA1 1b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA512 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b

C:\Users\Admin\AppData\Local\Temp\tmp401.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp426.tmp

MD5 11f44780694343a19c484af8103060de
SHA1 b8a4e4cbfbf6bd29db36ceff669614ca94270494
SHA256 508faf119a4e9d83727285a85c7ff6ed0a5d15454be43f98efe9aa7675c5ff5b
SHA512 f72134683ae14b5895d2480c99ad98b8914ad7c42472f08e975e6a2e2d7e4f08fc5fc042e3ac533b321f644b7a77d2388d96c4b7547d4dd775eb66df6d5bd7f0

C:\Users\Admin\AppData\Local\Temp\tmp457.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp473.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/1480-841-0x0000000073770000-0x0000000073F20000-memory.dmp

memory/5692-847-0x0000000073770000-0x0000000073F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1294a702ad81c1fd317a7bcb60c1b5e3
SHA1 216654000b165e173072c0c2e2541d09b706fc27
SHA256 ca113a8e90e6121973f8e1353e31057691e66f0808db7cee51f5427f13a1cf81
SHA512 a1cb6b6bd0fd793f88449bf1b5cf382ed4a2051151b0a3404389076233cf3669d5f9764b950e7fa3596bec093874e2f09cacd0211c130e36207c1355b8f63c56

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 730be40550c9680d7502e5f933fcb38e
SHA1 111088617a138868f1df77b4e96f803e7f7301cf
SHA256 fb88ffc74b1df53389bdc6eb396284581f593a1fa1f919c6cd6ee986d4a97e6a
SHA512 00463b3daf533a77d4ff3d9c770e868657daffa3eef5fa6c927d9926972df3b0b140c9c35ee140e7a5e96d97e4d1c62b26785d1b94d632341ec310cd4cbcd786

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 56ca2a62d841c90120ab0cee99abddcc
SHA1 82f1ba3f249453e5556ded3f7d8996eb96dc1cbc
SHA256 bdb8eebc8ef522b2441a7aaf721aebc50be364549454acda45da693526a808de
SHA512 fe02ce0a174ab22b02362c58e1ebe5e1f045f9caa217c155245a24b6084a398ea251d01d71cfc0853771193658b4df0340855d7f991010483c12813a52e2225a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 78c0b8195e9b1edb3c0ea340342c9d4f
SHA1 9b03a72b56e5ebdbf0d7dbb586227cd790edad3c
SHA256 50ece9b03cde37e7baea33b8340ee767b2d4aa36165fc226fa51c8edfd3d9fdf
SHA512 41fe5d4894d254be64e311e4ffd75b56c934bd12ef2d1548b7337de60d8fbf2c44ed98a7edb3a1be195b3ee20973dd6b4214dcd256d2da6c624ee577a45b217e

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4