Analysis Overview
SHA256
a1991359a4031e2dd5d238748184212ff2c7c8b51848dbdcd35b762787f1aae5
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
DcRat
SmokeLoader
Healer
SectopRAT payload
RedLine payload
SectopRAT
Modifies Windows Defender Real-time Protection settings
Amadey
Detects Healer an antivirus disabler dropper
RedLine
Downloads MZ/PE file
Uses the VBS compiler for execution
Executes dropped EXE
Loads dropped DLL
Windows security modification
Reads user/profile data of web browsers
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 14:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 14:58
Reported
2023-10-12 15:01
Platform
win7-20230831-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2612 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 272
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
| MD5 | 0c572fbe41cbb0572c8800f24702de24 |
| SHA1 | 78fac8edfc9a499008ecaa4f51b6d60b5191e94f |
| SHA256 | fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32 |
| SHA512 | 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
| MD5 | 0c572fbe41cbb0572c8800f24702de24 |
| SHA1 | 78fac8edfc9a499008ecaa4f51b6d60b5191e94f |
| SHA256 | fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32 |
| SHA512 | 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
| MD5 | 0c572fbe41cbb0572c8800f24702de24 |
| SHA1 | 78fac8edfc9a499008ecaa4f51b6d60b5191e94f |
| SHA256 | fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32 |
| SHA512 | 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
| MD5 | 0c572fbe41cbb0572c8800f24702de24 |
| SHA1 | 78fac8edfc9a499008ecaa4f51b6d60b5191e94f |
| SHA256 | fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32 |
| SHA512 | 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
| MD5 | 9f326be1d6b50927040011f3a65a0ef6 |
| SHA1 | 439a6acdf37c927bbc92e3e41726ff1ca4a3e684 |
| SHA256 | 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333 |
| SHA512 | 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
| MD5 | 9f326be1d6b50927040011f3a65a0ef6 |
| SHA1 | 439a6acdf37c927bbc92e3e41726ff1ca4a3e684 |
| SHA256 | 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333 |
| SHA512 | 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
| MD5 | 9f326be1d6b50927040011f3a65a0ef6 |
| SHA1 | 439a6acdf37c927bbc92e3e41726ff1ca4a3e684 |
| SHA256 | 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333 |
| SHA512 | 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
| MD5 | 9f326be1d6b50927040011f3a65a0ef6 |
| SHA1 | 439a6acdf37c927bbc92e3e41726ff1ca4a3e684 |
| SHA256 | 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333 |
| SHA512 | 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
| MD5 | 2a2c3dcda47bdfbeed60f4d14c72bc38 |
| SHA1 | 5648dc8b940ba0f0f732c507a169425c8f7783fe |
| SHA256 | 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9 |
| SHA512 | 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
| MD5 | 2a2c3dcda47bdfbeed60f4d14c72bc38 |
| SHA1 | 5648dc8b940ba0f0f732c507a169425c8f7783fe |
| SHA256 | 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9 |
| SHA512 | 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
| MD5 | 2a2c3dcda47bdfbeed60f4d14c72bc38 |
| SHA1 | 5648dc8b940ba0f0f732c507a169425c8f7783fe |
| SHA256 | 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9 |
| SHA512 | 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
| MD5 | 2a2c3dcda47bdfbeed60f4d14c72bc38 |
| SHA1 | 5648dc8b940ba0f0f732c507a169425c8f7783fe |
| SHA256 | 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9 |
| SHA512 | 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
memory/2680-40-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2680-41-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2680-42-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2680-44-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2680-43-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2680-45-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2680-49-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2680-47-0x0000000000400000-0x000000000040A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 14:58
Reported
2023-10-12 15:01
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8FBE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A00B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A00B.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7A7A.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\884A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3164 -ip 3164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 568
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4520 -ip 4520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 548
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2184 -ip 2184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2A95.tmp\2AA6.tmp\2AA7.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10362367851698089241,16809530312321572622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10362367851698089241,16809530312321572622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7A7A.exe
C:\Users\Admin\AppData\Local\Temp\7A7A.exe
C:\Users\Admin\AppData\Local\Temp\7EF0.exe
C:\Users\Admin\AppData\Local\Temp\7EF0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\828B.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe
C:\Users\Admin\AppData\Local\Temp\85C8.exe
C:\Users\Admin\AppData\Local\Temp\85C8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe
C:\Users\Admin\AppData\Local\Temp\884A.exe
C:\Users\Admin\AppData\Local\Temp\884A.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\8B0A.exe
C:\Users\Admin\AppData\Local\Temp\8B0A.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718
C:\Users\Admin\AppData\Local\Temp\8FBE.exe
C:\Users\Admin\AppData\Local\Temp\8FBE.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\A00B.exe
C:\Users\Admin\AppData\Local\Temp\A00B.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\A4BF.exe
C:\Users\Admin\AppData\Local\Temp\A4BF.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 268
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\AD9A.exe
C:\Users\Admin\AppData\Local\Temp\AD9A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5580 -ip 5580
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\B134.exe
C:\Users\Admin\AppData\Local\Temp\B134.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 792
C:\Users\Admin\AppData\Local\Temp\B2CC.exe
C:\Users\Admin\AppData\Local\Temp\B2CC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5588 -ip 5588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 200
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4236 -ip 4236
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\BD3D.exe
C:\Users\Admin\AppData\Local\Temp\BD3D.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Yu966Qp.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Yu966Qp.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B134.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff046c46f8,0x7fff046c4708,0x7fff046c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B134.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3715680583931192788,16447622099341430061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 16.43.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | facebook.com | udp |
| GB | 157.240.221.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| GB | 157.240.221.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 85.209.176.171:80 | 85.209.176.171 | tcp |
| US | 8.8.8.8:53 | 171.176.209.85.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| IT | 185.196.9.65:80 | tcp | |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| TR | 185.216.70.238:37515 | tcp | |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.70.216.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 13.107.246.67:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| IE | 52.210.125.129:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | 129.125.210.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.42.73.25:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 20.42.73.25:443 | browser.events.data.microsoft.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
| MD5 | 0c572fbe41cbb0572c8800f24702de24 |
| SHA1 | 78fac8edfc9a499008ecaa4f51b6d60b5191e94f |
| SHA256 | fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32 |
| SHA512 | 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
| MD5 | 0c572fbe41cbb0572c8800f24702de24 |
| SHA1 | 78fac8edfc9a499008ecaa4f51b6d60b5191e94f |
| SHA256 | fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32 |
| SHA512 | 5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
| MD5 | 9f326be1d6b50927040011f3a65a0ef6 |
| SHA1 | 439a6acdf37c927bbc92e3e41726ff1ca4a3e684 |
| SHA256 | 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333 |
| SHA512 | 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
| MD5 | 9f326be1d6b50927040011f3a65a0ef6 |
| SHA1 | 439a6acdf37c927bbc92e3e41726ff1ca4a3e684 |
| SHA256 | 57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333 |
| SHA512 | 93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
| MD5 | 2a2c3dcda47bdfbeed60f4d14c72bc38 |
| SHA1 | 5648dc8b940ba0f0f732c507a169425c8f7783fe |
| SHA256 | 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9 |
| SHA512 | 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
| MD5 | 2a2c3dcda47bdfbeed60f4d14c72bc38 |
| SHA1 | 5648dc8b940ba0f0f732c507a169425c8f7783fe |
| SHA256 | 22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9 |
| SHA512 | 0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
| MD5 | 3ff825411b1fe07e712a5dcae34f80eb |
| SHA1 | e3e4358cabfa74d6e36e26754b01ed78434a6877 |
| SHA256 | 69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739 |
| SHA512 | 325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81 |
memory/3172-28-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3172-29-0x0000000073C10000-0x00000000743C0000-memory.dmp
memory/3172-30-0x0000000073C10000-0x00000000743C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vd5009.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
memory/4600-34-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4600-35-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4600-36-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4600-38-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
| MD5 | fd06b98da4a84630b88bf94723239636 |
| SHA1 | ce781503f76b748c327ece62600d0aedb97fc899 |
| SHA256 | 5494c36ef10edc6023587cc455e845c27d721be80377ce89110d8f8afec9fac9 |
| SHA512 | 4f7c92718f4d33b6e0be90cd4a3dd3f30042d414fedf03a6ec5783181274c5d39aef56a4f4f8d3fd55eb92f9b6d60d14ec229f773875ce5a6102b87bbbb3187d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lz04td.exe
| MD5 | fd06b98da4a84630b88bf94723239636 |
| SHA1 | ce781503f76b748c327ece62600d0aedb97fc899 |
| SHA256 | 5494c36ef10edc6023587cc455e845c27d721be80377ce89110d8f8afec9fac9 |
| SHA512 | 4f7c92718f4d33b6e0be90cd4a3dd3f30042d414fedf03a6ec5783181274c5d39aef56a4f4f8d3fd55eb92f9b6d60d14ec229f773875ce5a6102b87bbbb3187d |
memory/4736-42-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4736-43-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
| MD5 | 18608c03b561edad4fe5e8d229c6920f |
| SHA1 | 686c4e9cf88c32259ad8476d732bb2f8a11bc47d |
| SHA256 | 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e |
| SHA512 | c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aN291lY.exe
| MD5 | 18608c03b561edad4fe5e8d229c6920f |
| SHA1 | 686c4e9cf88c32259ad8476d732bb2f8a11bc47d |
| SHA256 | 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e |
| SHA512 | c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950 |
memory/3172-48-0x0000000073C10000-0x00000000743C0000-memory.dmp
memory/3132-49-0x0000000001340000-0x0000000001356000-memory.dmp
memory/4736-51-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4472-53-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4472-55-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/4472-56-0x0000000007780000-0x0000000007D24000-memory.dmp
memory/4472-57-0x00000000072B0000-0x0000000007342000-memory.dmp
memory/4472-58-0x0000000007220000-0x0000000007230000-memory.dmp
memory/4472-59-0x0000000007350000-0x000000000735A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe
| MD5 | 651458a449a6c9001b730a58952eb429 |
| SHA1 | cda93b012624afa18bd2e358aacd51651f516724 |
| SHA256 | af05fcf4482e848d1fa04013077e3c6d251735a4c3ddbec9f1437a95fac21eee |
| SHA512 | f6c97cd7c068ddb9de1a7134efd71725a78b9c4ea7847241262ef40f581487d85df5c70ad666b87a567cc231c5bc6fd40910dacba703d5bb6744f6a7c8f2b183 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ca5em9.exe
| MD5 | 651458a449a6c9001b730a58952eb429 |
| SHA1 | cda93b012624afa18bd2e358aacd51651f516724 |
| SHA256 | af05fcf4482e848d1fa04013077e3c6d251735a4c3ddbec9f1437a95fac21eee |
| SHA512 | f6c97cd7c068ddb9de1a7134efd71725a78b9c4ea7847241262ef40f581487d85df5c70ad666b87a567cc231c5bc6fd40910dacba703d5bb6744f6a7c8f2b183 |
memory/4472-64-0x0000000008350000-0x0000000008968000-memory.dmp
memory/4472-65-0x0000000007630000-0x000000000773A000-memory.dmp
memory/4472-66-0x0000000007520000-0x0000000007532000-memory.dmp
memory/4472-67-0x0000000007580000-0x00000000075BC000-memory.dmp
memory/4472-68-0x00000000075C0000-0x000000000760C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2A95.tmp\2AA6.tmp\2AA7.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6351be8b63227413881e5dfb033459cc |
| SHA1 | f24489be1e693dc22d6aac7edd692833c623d502 |
| SHA256 | e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b |
| SHA512 | 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
\??\pipe\LOCAL\crashpad_1120_UKAKQCMKAKBEVZUI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_2056_HJAHYOOTCKRCCKPS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 93ad3867d187a850c0e68bdff832a17a |
| SHA1 | e5c30c700a37a8c935afb35a02d249e795024804 |
| SHA256 | 104e453895cba02be39355a155bbd09e996a30c3b9a7196240d53752a3dee26c |
| SHA512 | fc5a600bc541b11ed15d7dc8b5eb56d199b5baf19e90490cc2ffee4124f67c750b47816b9653a87ea8e276788efdfea7b2255c9cc855ea3ba6f7f4af737c978a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 76e2e9b11f5ef76b67f3151684c0337b |
| SHA1 | 545a0eaca19f875bd94546e3543bff25d40fe414 |
| SHA256 | 1e06bf2573a5ba2f775bcb4953cc33dbc0a3dcc0741fef2a050bdce01cece8e8 |
| SHA512 | 49789f1e8c11a7a58e5d0691e46759a4e983f1309e1dd7cf71cbe75b872865ccddce192e33c8f12ab41c3d5dc4a0e8b312c45db6ec69a2a9db285bc295475a63 |
memory/4472-126-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/4472-129-0x0000000007220000-0x0000000007230000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 50f5e7ae8e064a22a44c8e938641ba28 |
| SHA1 | 20ff43a701419e12693e8662bed1bf7e8545cb08 |
| SHA256 | ad65866bf14ec46820959c0b097095d0a509e9dbe1eb51230d36585a0c28a639 |
| SHA512 | eacccd95a634b4a55be8faca8acb6a38c7e28c2ab08abdf2c1e75836e98352cbfbda7780dbbf6d6a9ec5c4e0505a9a003780ad621ed222df2598adb8ff1969e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 93ad3867d187a850c0e68bdff832a17a |
| SHA1 | e5c30c700a37a8c935afb35a02d249e795024804 |
| SHA256 | 104e453895cba02be39355a155bbd09e996a30c3b9a7196240d53752a3dee26c |
| SHA512 | fc5a600bc541b11ed15d7dc8b5eb56d199b5baf19e90490cc2ffee4124f67c750b47816b9653a87ea8e276788efdfea7b2255c9cc855ea3ba6f7f4af737c978a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | beb55ba0be51447e0d07e8c83f1c65ff |
| SHA1 | 9358f80b4a2335de8ca2aef276f14ec0bcfc50be |
| SHA256 | 8833d99e1bf0330c60f17fab341c7635d3ef16cbad940907b33a2b01b97361c3 |
| SHA512 | b3cf2ea84f83a0fbee612cc8d3514f8781a447dbe9ec43026f77cdf592158618ce85bb0fcd267f514ca45251de78dd0e28eab4f1c3c1c09402eca06e82d527cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 699e3636ed7444d9b47772e4446ccfc1 |
| SHA1 | db0459ca6ceeea2e87e0023a6b7ee06aeed6fded |
| SHA256 | 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a |
| SHA512 | d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\7A7A.exe
| MD5 | c36b3237039a0094f563964364f50e24 |
| SHA1 | 61d903e1f4667e9e2565e5c50c6dbe9976f45282 |
| SHA256 | 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a |
| SHA512 | 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2 |
C:\Users\Admin\AppData\Local\Temp\7A7A.exe
| MD5 | c36b3237039a0094f563964364f50e24 |
| SHA1 | 61d903e1f4667e9e2565e5c50c6dbe9976f45282 |
| SHA256 | 0954e90783c2c369a6b2df16e19bda360669d72c77e4c8295df973067758844a |
| SHA512 | 9e087b9d01cccf4650859881f6ea95e7e82750d75cf48d86f7de7654f88c2eb8af4e1d10cd1d36bc75acf1f8c365900b8a7632e3c3f7ce78327eec95caa6c1c2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ZB00wv.exe
| MD5 | 78e10343ad8e8a315c6c59473eeb1f94 |
| SHA1 | 5e2669b4ed295fd0b780270c02050ca03dadbee9 |
| SHA256 | 6f02bcabda63effbbe30db77c4d1d5442230168b5399ade26377b63d827f4f39 |
| SHA512 | c83287516a6fb03c09886d459c20501ea8eb19eba216adccee869f24564e94ee2777bbf428b6a591e77db8c3e8bd0935a08916c5303fcaf4716b83009226ef01 |
C:\Users\Admin\AppData\Local\Temp\7EF0.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
C:\Users\Admin\AppData\Local\Temp\7EF0.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
| MD5 | 264645e6949faa6016f9b985467c88ea |
| SHA1 | efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e |
| SHA256 | aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517 |
| SHA512 | 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd7St1zm.exe
| MD5 | 264645e6949faa6016f9b985467c88ea |
| SHA1 | efc3e10e30f07b0bd97049d7dd8c87a3de9e4c0e |
| SHA256 | aabc3d235483d7ecd8317c0c897385cefe42bbd41aafcd614a58f48ec57b6517 |
| SHA512 | 88e3abf2fbe57d6628c55b469b6f0653b313686045b7412a09dfb4c3e2edfd0afa62e60adb1020a7bc3f9b08bb782e868e6b32b246185d199ff55d6c475eaf96 |
C:\Users\Admin\AppData\Local\Temp\7EF0.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
C:\Users\Admin\AppData\Local\Temp\828B.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4995cb306cc2f734b84b528ae96907ea |
| SHA1 | 07bef35172146a9bf25a687ff9f9189f76663d59 |
| SHA256 | b31131f495402b4a95f313299c9de0a3aa07a23879c37cc588a039a5945c4101 |
| SHA512 | 9d6d3f1f10a8b15e3fa5aeb6e4af572123de61320988be8f05e3cc9ec40bcf4767ce30f2d78c34bb7680559831fca0708a9ce412e2ba0b9dd0c642d60e516198 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe
| MD5 | 9fe34a518445397968659dce6da60c18 |
| SHA1 | 52eae1b19718ca1357bf9c6466e22947a77c1930 |
| SHA256 | 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb |
| SHA512 | 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DS906yG.exe
| MD5 | 18608c03b561edad4fe5e8d229c6920f |
| SHA1 | 686c4e9cf88c32259ad8476d732bb2f8a11bc47d |
| SHA256 | 39eeb86cc08c5f1ba58023218681129519c311e4c362fb74ce8ae1094ed5606e |
| SHA512 | c1340d1ec541fbfdfcd77a1a4d2a2cccaee97ea30907021fff880b091d779f97fea6d1042b429a77152334859c8f2ad70bd5e347b67ed04b1ffcbb9673fa2950 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rN1Jp6KH.exe
| MD5 | 9fe34a518445397968659dce6da60c18 |
| SHA1 | 52eae1b19718ca1357bf9c6466e22947a77c1930 |
| SHA256 | 7c31c8606c9f90f67a7f068d2a3f2acb074dd8f32cf16a752ba042fc7ca4a5cb |
| SHA512 | 9129739b89123c5ed9ab42462ec1c59b06647b68a463819ba78b645454a606a62664b205308bc9d8be7066cd0b37e41834b621f1353178e67ddfc1fc23a7daf6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe
| MD5 | ad9fff6459a8fc45d5422347648c4a5f |
| SHA1 | c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf |
| SHA256 | 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c |
| SHA512 | 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oy3TK5PJ.exe
| MD5 | ad9fff6459a8fc45d5422347648c4a5f |
| SHA1 | c9fc0372a5d7ebc17a9e90cd05db7246fec63cbf |
| SHA256 | 198191aa01e71bafcba1f391aef25c7a72953ddfc8c088c49027bd6817c5699c |
| SHA512 | 181a61658a83f6c8d3f662ea7fc2fe8c2695263de09a4493cf922881212fb3a91ec99477bcbf0a820b58b7a122a8e868712435f081d728be416fe4b0b77c402a |
C:\Users\Admin\AppData\Local\Temp\85C8.exe
| MD5 | a410f2978782614af3d5e20abf2f3ac9 |
| SHA1 | bbbfd08cf58add22f347b217b2a69be389aaf24c |
| SHA256 | 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab |
| SHA512 | 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe
| MD5 | 0bbb36ddd1e4621672f2ef69da9105e5 |
| SHA1 | fa6a570e0a934e9f91e4689ea31560dfa99f3c84 |
| SHA256 | 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d |
| SHA512 | 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zh2vK7dI.exe
| MD5 | 0bbb36ddd1e4621672f2ef69da9105e5 |
| SHA1 | fa6a570e0a934e9f91e4689ea31560dfa99f3c84 |
| SHA256 | 8ee308b30bf187c3a6f86302d360bc6a3e839bc94a1a9ab829b628c9b66b822d |
| SHA512 | 675fcc2f15175db261db4731e261e814863e84e96bdc640dadce77e5cd09eac96876d175f01b533a8c4b21744e9983b8e232d36c3e064b87dedbe8de60252fe0 |
C:\Users\Admin\AppData\Local\Temp\85C8.exe
| MD5 | a410f2978782614af3d5e20abf2f3ac9 |
| SHA1 | bbbfd08cf58add22f347b217b2a69be389aaf24c |
| SHA256 | 1c32ea981f5d489fb1e71212f0915e347c3744c43a5877fb138abe08c220efab |
| SHA512 | 905663ced4fae3da2df420b02d01ed7a343f3cb9ee0c718401567e532adf786857eaae43f68d5d9925e9fe57f6c1e28414ba58b759ec1ed32b9d3c4a0abe23c0 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
memory/3396-327-0x0000000000B40000-0x0000000000B4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\884A.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\884A.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
memory/3396-329-0x00007FFEFFC90000-0x00007FFF00751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JP83Dm7.exe
| MD5 | c744cde6a13370a7d6c1c0081899275c |
| SHA1 | 4fc5ac716a6c99b0fd107e53c49ce8d95bad5955 |
| SHA256 | eb87e4b3b1a68abac9dfe25d1cb6de511f9483e4b8974c859690dee68e6a844f |
| SHA512 | 6c112c801247611efebc931b8fb95a0ae0990bc9cf7adaa40dc9955d1441d559aa947088d835fe3fb4351425e60c8194ab05cceabe23460d44b2df17619b0feb |
C:\Users\Admin\AppData\Local\Temp\8B0A.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\8B0A.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\8FBE.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Temp\8FBE.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8a3f5ef6567cbad6524e58b45ef71bdb |
| SHA1 | 3291159057c792181230d09b1cf0dc7dea3f6428 |
| SHA256 | 8091d39f22a4f434a3a38f4bff867d7b431c2fde9fb8be861b992c8cbc9b0c9f |
| SHA512 | 29da2c7797cde0cf7cef2fe3bf1b16002f5bd4bd0eadc7cbbf504e63ef36405dd2ef779f7dac259a9b50c6692c1d839f25203dac52fda3248ecaa81ce4e11e2b |
memory/5644-392-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5644-397-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5644-399-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/5692-412-0x00000000004B0000-0x00000000004CE000-memory.dmp
memory/5580-413-0x0000000001FB0000-0x000000000200A000-memory.dmp
memory/5644-417-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5692-416-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5580-418-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3396-420-0x00007FFEFFC90000-0x00007FFF00751000-memory.dmp
memory/5580-423-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5692-427-0x0000000004E30000-0x0000000004E40000-memory.dmp
memory/6060-429-0x0000000000CB0000-0x0000000000E08000-memory.dmp
memory/1480-444-0x00000000003E0000-0x000000000043A000-memory.dmp
memory/1480-445-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/1480-453-0x0000000007400000-0x0000000007410000-memory.dmp
memory/5588-454-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5588-452-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5588-458-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3396-459-0x00007FFEFFC90000-0x00007FFF00751000-memory.dmp
memory/5216-464-0x00000000020A0000-0x00000000020FA000-memory.dmp
memory/5216-463-0x0000000000400000-0x000000000046F000-memory.dmp
memory/5340-470-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5340-471-0x0000000007A00000-0x0000000007A10000-memory.dmp
memory/5692-472-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/6060-473-0x0000000000CB0000-0x0000000000E08000-memory.dmp
memory/5364-492-0x0000000000500000-0x000000000053E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 16812704dbd0def9f58283d4c2f0deb6 |
| SHA1 | f88b50d46745241a111a9a8537825d0768bf7cd8 |
| SHA256 | 5856e8024218d52b37109bd2fc8d649fe9032e7204c4497e957b1c40ece19f9a |
| SHA512 | 0a33e7471fcd0c79f441a9c804f045fae99fd273eee6a7743ee6b6db99c65418f326abe0ccd883632f88445a883e88e7521d604f7d346516d84c7094507150fb |
memory/1480-515-0x0000000007D70000-0x0000000007DD6000-memory.dmp
memory/5692-516-0x0000000004E30000-0x0000000004E40000-memory.dmp
memory/5364-517-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/6060-518-0x0000000000CB0000-0x0000000000E08000-memory.dmp
memory/5364-525-0x0000000007380000-0x0000000007390000-memory.dmp
memory/1480-526-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/3636-532-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/3636-533-0x0000000000FC0000-0x0000000000FFE000-memory.dmp
memory/1480-534-0x0000000007400000-0x0000000007410000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4bc772202d472144f4f8ee314baa112f |
| SHA1 | 8f53ecf24a9e8595553f7c98d5df5125f506f1c9 |
| SHA256 | 5b91c8837101a4fa187164c6e12a24ae897f33f28814faa89e1608bff050e7a6 |
| SHA512 | 6b9f91d1df2a258653aa64e1539989ac1fcf775d9d56055ffa4e7316f14498ddd641435fce92a9aea05bf195f4cd9c21a4f0edf35e09b8b8c48acca53b22ad5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d210.TMP
| MD5 | 46450159e3661135b1cd42c98d68837a |
| SHA1 | c4b19b17662c6c51091028034af74ffea2154a5a |
| SHA256 | 40512f2ec7a13fe6bce37555704dc6feca3e07437c9ba49a73cb74e413c6fa8a |
| SHA512 | 7823c68576d68e1073f9e04c3e509399193055ce83afa40c9861e4b27000e257d1990dd2346598a57b6009e398055072e80e823f675793210324c8d41d42691f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0547cf278c894d4685836612b55a1042 |
| SHA1 | 8cd91e8d27ecad7e9f6958e83a42e5c9f26c5a5b |
| SHA256 | d397895c38732ebeb7bc16913543cfbe16d7338117f3855e36a3c3a54ccff84f |
| SHA512 | d8965d0a73c4cef509c74d2653cce67f5cd1ccc46516fd5762bee49ae13d196f28380548268b702055bd5446b4796585797c2033c907c9118a1afde76937653d |
memory/5340-573-0x0000000073770000-0x0000000073F20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8299f0974bb410195802602f5d414a6a |
| SHA1 | 4be0dacbf2b6f7aabd85ef5a008121037fd584ce |
| SHA256 | ad6803f4e31833b4837b48345c54d245b32772512b6e07f0e319d7eedabf67b0 |
| SHA512 | fa8e038a4e415ea3e913441e9709ac9ea97dcad3a149520a6abe2d2ec4f18b268665c9c7ba339f60cc1b732c392aa12eadca295c17dac50e40c545b7b9c253bc |
memory/5580-586-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5340-589-0x0000000007A00000-0x0000000007A10000-memory.dmp
memory/4516-613-0x00007FF651930000-0x00007FF651C2F000-memory.dmp
memory/5364-614-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5364-615-0x0000000009AB0000-0x0000000009B00000-memory.dmp
memory/5364-616-0x0000000007380000-0x0000000007390000-memory.dmp
memory/5832-617-0x0000000000910000-0x0000000000943000-memory.dmp
memory/4516-618-0x00007FF651930000-0x00007FF651C2F000-memory.dmp
memory/5832-619-0x0000000000910000-0x0000000000943000-memory.dmp
memory/5832-620-0x0000000000910000-0x0000000000943000-memory.dmp
memory/3636-621-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5832-622-0x0000000000910000-0x0000000000943000-memory.dmp
memory/5832-623-0x0000000000910000-0x0000000000943000-memory.dmp
memory/5364-624-0x00000000060A0000-0x0000000006262000-memory.dmp
memory/5364-625-0x00000000069A0000-0x0000000006ECC000-memory.dmp
memory/3636-626-0x0000000007EE0000-0x0000000007EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0128126492738a792a555174950e23dc |
| SHA1 | c20ab1a12f1b885ff53cd2d7ec725bacd5a21a31 |
| SHA256 | e562473efdb36225e1324177ae361bb2690b0d6908fc13686f98a03d4c5fdb10 |
| SHA512 | 77002292756ae058ef52ea7597d14219e1164b70b636f76ada8613e0c90f22fc7899d049fcb103e1177608682547012b15020401dbd0c6957fac7b425c4905ed |
memory/1480-636-0x00000000094D0000-0x0000000009546000-memory.dmp
memory/5364-647-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/1480-648-0x0000000009330000-0x000000000934E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp391.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp3C6.tmp
| MD5 | 6e98ae51f6cacb49a7830bede7ab9920 |
| SHA1 | 1b7e9e375bd48cae50343e67ecc376cf5016d4ee |
| SHA256 | 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd |
| SHA512 | 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b |
C:\Users\Admin\AppData\Local\Temp\tmp401.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp
| MD5 | 11f44780694343a19c484af8103060de |
| SHA1 | b8a4e4cbfbf6bd29db36ceff669614ca94270494 |
| SHA256 | 508faf119a4e9d83727285a85c7ff6ed0a5d15454be43f98efe9aa7675c5ff5b |
| SHA512 | f72134683ae14b5895d2480c99ad98b8914ad7c42472f08e975e6a2e2d7e4f08fc5fc042e3ac533b321f644b7a77d2388d96c4b7547d4dd775eb66df6d5bd7f0 |
C:\Users\Admin\AppData\Local\Temp\tmp457.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp473.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/1480-841-0x0000000073770000-0x0000000073F20000-memory.dmp
memory/5692-847-0x0000000073770000-0x0000000073F20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1294a702ad81c1fd317a7bcb60c1b5e3 |
| SHA1 | 216654000b165e173072c0c2e2541d09b706fc27 |
| SHA256 | ca113a8e90e6121973f8e1353e31057691e66f0808db7cee51f5427f13a1cf81 |
| SHA512 | a1cb6b6bd0fd793f88449bf1b5cf382ed4a2051151b0a3404389076233cf3669d5f9764b950e7fa3596bec093874e2f09cacd0211c130e36207c1355b8f63c56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 730be40550c9680d7502e5f933fcb38e |
| SHA1 | 111088617a138868f1df77b4e96f803e7f7301cf |
| SHA256 | fb88ffc74b1df53389bdc6eb396284581f593a1fa1f919c6cd6ee986d4a97e6a |
| SHA512 | 00463b3daf533a77d4ff3d9c770e868657daffa3eef5fa6c927d9926972df3b0b140c9c35ee140e7a5e96d97e4d1c62b26785d1b94d632341ec310cd4cbcd786 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 56ca2a62d841c90120ab0cee99abddcc |
| SHA1 | 82f1ba3f249453e5556ded3f7d8996eb96dc1cbc |
| SHA256 | bdb8eebc8ef522b2441a7aaf721aebc50be364549454acda45da693526a808de |
| SHA512 | fe02ce0a174ab22b02362c58e1ebe5e1f045f9caa217c155245a24b6084a398ea251d01d71cfc0853771193658b4df0340855d7f991010483c12813a52e2225a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 78c0b8195e9b1edb3c0ea340342c9d4f |
| SHA1 | 9b03a72b56e5ebdbf0d7dbb586227cd790edad3c |
| SHA256 | 50ece9b03cde37e7baea33b8340ee767b2d4aa36165fc226fa51c8edfd3d9fdf |
| SHA512 | 41fe5d4894d254be64e311e4ffd75b56c934bd12ef2d1548b7337de60d8fbf2c44ed98a7edb3a1be195b3ee20973dd6b4214dcd256d2da6c624ee577a45b217e |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |