Malware Analysis Report

2025-08-05 19:01

Sample ID 231018-vcgscshh45
Target a5050402ceb0a865b0ae6d146af53779.exe
SHA256 3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
Tags
amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish motion pixelscloud2.0 backdoor dropper evasion infostealer loader persistence rat trojan microsoft discovery phishing spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252

Threat Level: Known bad

The file a5050402ceb0a865b0ae6d146af53779.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish motion pixelscloud2.0 backdoor dropper evasion infostealer loader persistence rat trojan microsoft discovery phishing spyware stealer

SectopRAT payload

RedLine

Modifies Windows Defender Real-time Protection settings

Glupteba payload

Amadey

SectopRAT

RedLine payload

DcRat

SmokeLoader

Glupteba

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

.NET Reactor proctector

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Windows security modification

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 16:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 16:50

Reported

2023-10-18 16:53

Platform

win7-20230831-en

Max time kernel

62s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EE64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EEF2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F51D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F703.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F676.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7A0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\135D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\181F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19D6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\190A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EE64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EE64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F51D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1234.exe N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\EE64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\181F.exe'\"" C:\Users\Admin\AppData\Local\Temp\181F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F703.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F2DB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2588 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2440 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 2588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1688 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 2628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 2628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 2628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 2628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe

"C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

C:\Users\Admin\AppData\Local\Temp\EE64.exe

C:\Users\Admin\AppData\Local\Temp\EE64.exe

C:\Users\Admin\AppData\Local\Temp\EEF2.exe

C:\Users\Admin\AppData\Local\Temp\EEF2.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F01B.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

C:\Users\Admin\AppData\Local\Temp\F0B8.exe

C:\Users\Admin\AppData\Local\Temp\F0B8.exe

C:\Users\Admin\AppData\Local\Temp\F2DB.exe

C:\Users\Admin\AppData\Local\Temp\F2DB.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

C:\Users\Admin\AppData\Local\Temp\F51D.exe

C:\Users\Admin\AppData\Local\Temp\F51D.exe

C:\Users\Admin\AppData\Local\Temp\F676.exe

C:\Users\Admin\AppData\Local\Temp\F676.exe

C:\Users\Admin\AppData\Local\Temp\F703.exe

C:\Users\Admin\AppData\Local\Temp\F703.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\F7A0.exe

C:\Users\Admin\AppData\Local\Temp\F7A0.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\FD5B.exe

C:\Users\Admin\AppData\Local\Temp\FD5B.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1234.exe

C:\Users\Admin\AppData\Local\Temp\1234.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\135D.exe

C:\Users\Admin\AppData\Local\Temp\135D.exe

C:\Users\Admin\AppData\Local\Temp\181F.exe

C:\Users\Admin\AppData\Local\Temp\181F.exe

C:\Users\Admin\AppData\Local\Temp\190A.exe

C:\Users\Admin\AppData\Local\Temp\190A.exe

C:\Users\Admin\AppData\Local\Temp\19D6.exe

C:\Users\Admin\AppData\Local\Temp\19D6.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=135D.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2sh993Wh.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2sh993Wh.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:209928 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275468 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {525B6A33-ABC5-4379-A144-7B096B40BAF1} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.55:19071 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
BG 171.22.28.239:42359 tcp
NL 85.209.176.128:80 tcp
IT 185.196.9.65:80 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 hellouts.fun udp
DE 168.119.126.250:19180 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 www.facebook.com udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 api.ip.sb udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 172.67.75.172:443 api.ip.sb tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.35:443 facebook.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 fbsbx.com udp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 77.91.124.55:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

MD5 dc37243c4ed09c3837a7a5c924f5c896
SHA1 b0ea4e503d3fdda1ced01561826ef17763aa2905
SHA256 9b571b455210053b1dbeeba111c8f74e4a59a10fb0ea867fba8a18c1651fbfcd
SHA512 8aa656f48d00c439f8a491624d284b8bd5b39f9db05c1141b7351b72f4a8f5f76553e6c91fc4f9e24f9147ce86bcb5de04dd16aecc737301cd4769a87e4d684d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

MD5 dc37243c4ed09c3837a7a5c924f5c896
SHA1 b0ea4e503d3fdda1ced01561826ef17763aa2905
SHA256 9b571b455210053b1dbeeba111c8f74e4a59a10fb0ea867fba8a18c1651fbfcd
SHA512 8aa656f48d00c439f8a491624d284b8bd5b39f9db05c1141b7351b72f4a8f5f76553e6c91fc4f9e24f9147ce86bcb5de04dd16aecc737301cd4769a87e4d684d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

MD5 dc37243c4ed09c3837a7a5c924f5c896
SHA1 b0ea4e503d3fdda1ced01561826ef17763aa2905
SHA256 9b571b455210053b1dbeeba111c8f74e4a59a10fb0ea867fba8a18c1651fbfcd
SHA512 8aa656f48d00c439f8a491624d284b8bd5b39f9db05c1141b7351b72f4a8f5f76553e6c91fc4f9e24f9147ce86bcb5de04dd16aecc737301cd4769a87e4d684d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

MD5 dc37243c4ed09c3837a7a5c924f5c896
SHA1 b0ea4e503d3fdda1ced01561826ef17763aa2905
SHA256 9b571b455210053b1dbeeba111c8f74e4a59a10fb0ea867fba8a18c1651fbfcd
SHA512 8aa656f48d00c439f8a491624d284b8bd5b39f9db05c1141b7351b72f4a8f5f76553e6c91fc4f9e24f9147ce86bcb5de04dd16aecc737301cd4769a87e4d684d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

MD5 044f3d4cccda079733c83f6cf816ae16
SHA1 61ae1d263ed6012f85c5b91c98785e64ee4d0d9d
SHA256 bb3aabcf7d896bb6d04dbaac9d0ca627b22da37a2a686a4d3cf8ad6c83d8f522
SHA512 ae1f98fe31b0b2d10312d665dcc0ad28be819c1d00156415cd8c306ad8996708e02b455e67c13481149c25f541c6f4eba303f56673d79120d959cb180199d73c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

MD5 044f3d4cccda079733c83f6cf816ae16
SHA1 61ae1d263ed6012f85c5b91c98785e64ee4d0d9d
SHA256 bb3aabcf7d896bb6d04dbaac9d0ca627b22da37a2a686a4d3cf8ad6c83d8f522
SHA512 ae1f98fe31b0b2d10312d665dcc0ad28be819c1d00156415cd8c306ad8996708e02b455e67c13481149c25f541c6f4eba303f56673d79120d959cb180199d73c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

MD5 044f3d4cccda079733c83f6cf816ae16
SHA1 61ae1d263ed6012f85c5b91c98785e64ee4d0d9d
SHA256 bb3aabcf7d896bb6d04dbaac9d0ca627b22da37a2a686a4d3cf8ad6c83d8f522
SHA512 ae1f98fe31b0b2d10312d665dcc0ad28be819c1d00156415cd8c306ad8996708e02b455e67c13481149c25f541c6f4eba303f56673d79120d959cb180199d73c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

MD5 044f3d4cccda079733c83f6cf816ae16
SHA1 61ae1d263ed6012f85c5b91c98785e64ee4d0d9d
SHA256 bb3aabcf7d896bb6d04dbaac9d0ca627b22da37a2a686a4d3cf8ad6c83d8f522
SHA512 ae1f98fe31b0b2d10312d665dcc0ad28be819c1d00156415cd8c306ad8996708e02b455e67c13481149c25f541c6f4eba303f56673d79120d959cb180199d73c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

MD5 e301bed7b87d6c225e5a2ffe2576a7e4
SHA1 52eac9b55a9b076060404699ea9ea79364e6692c
SHA256 a7b1376708d8d6718b7a63acf11d83c15b890607f9fed190ce9d4606bc27dbcd
SHA512 0249d96304096f144c1bffbd80063b600ee610d7681e63d17543ddb6490b3bf792b68888dea8d9f86c1bcfbda1753848920d9ddcfa44e7070a297714cc778256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

MD5 e301bed7b87d6c225e5a2ffe2576a7e4
SHA1 52eac9b55a9b076060404699ea9ea79364e6692c
SHA256 a7b1376708d8d6718b7a63acf11d83c15b890607f9fed190ce9d4606bc27dbcd
SHA512 0249d96304096f144c1bffbd80063b600ee610d7681e63d17543ddb6490b3bf792b68888dea8d9f86c1bcfbda1753848920d9ddcfa44e7070a297714cc778256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

MD5 e301bed7b87d6c225e5a2ffe2576a7e4
SHA1 52eac9b55a9b076060404699ea9ea79364e6692c
SHA256 a7b1376708d8d6718b7a63acf11d83c15b890607f9fed190ce9d4606bc27dbcd
SHA512 0249d96304096f144c1bffbd80063b600ee610d7681e63d17543ddb6490b3bf792b68888dea8d9f86c1bcfbda1753848920d9ddcfa44e7070a297714cc778256

\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

MD5 e301bed7b87d6c225e5a2ffe2576a7e4
SHA1 52eac9b55a9b076060404699ea9ea79364e6692c
SHA256 a7b1376708d8d6718b7a63acf11d83c15b890607f9fed190ce9d4606bc27dbcd
SHA512 0249d96304096f144c1bffbd80063b600ee610d7681e63d17543ddb6490b3bf792b68888dea8d9f86c1bcfbda1753848920d9ddcfa44e7070a297714cc778256

\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

MD5 1ad120e8168377fec9878bb0104d5689
SHA1 9cc8e371950cc6a376e2b79cf3f645c275be3af8
SHA256 fffbaba1b4d01832e95942a13812e4a77ac034a38301a8715f1147f6c4ea6881
SHA512 56f6ce07b5c43738fb0cc4eea5891e8b199820256781af5ce7971991b4e8605fe15492fd93fcf644dad0dd71939b498830a935e65122bb1d4fbed3bfd66aed7a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

MD5 1ad120e8168377fec9878bb0104d5689
SHA1 9cc8e371950cc6a376e2b79cf3f645c275be3af8
SHA256 fffbaba1b4d01832e95942a13812e4a77ac034a38301a8715f1147f6c4ea6881
SHA512 56f6ce07b5c43738fb0cc4eea5891e8b199820256781af5ce7971991b4e8605fe15492fd93fcf644dad0dd71939b498830a935e65122bb1d4fbed3bfd66aed7a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

MD5 1ad120e8168377fec9878bb0104d5689
SHA1 9cc8e371950cc6a376e2b79cf3f645c275be3af8
SHA256 fffbaba1b4d01832e95942a13812e4a77ac034a38301a8715f1147f6c4ea6881
SHA512 56f6ce07b5c43738fb0cc4eea5891e8b199820256781af5ce7971991b4e8605fe15492fd93fcf644dad0dd71939b498830a935e65122bb1d4fbed3bfd66aed7a

\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

MD5 1ad120e8168377fec9878bb0104d5689
SHA1 9cc8e371950cc6a376e2b79cf3f645c275be3af8
SHA256 fffbaba1b4d01832e95942a13812e4a77ac034a38301a8715f1147f6c4ea6881
SHA512 56f6ce07b5c43738fb0cc4eea5891e8b199820256781af5ce7971991b4e8605fe15492fd93fcf644dad0dd71939b498830a935e65122bb1d4fbed3bfd66aed7a

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

MD5 735f011d5951607df38926017c71457b
SHA1 67ac16f69938611259342c3e958498a52adbeba5
SHA256 7a90d7e5129fe050f02a4a067d17ca9acfae7f154d68b6a3ab49dcca13b0a028
SHA512 a2a59a8bbfe7bf6d80dd6fa7aebe8d22cc1e0931587526672093b802d4d8986fd661e85df6363d8f7c47206e29606bfb30fdaeec09a02313e76062c112099be0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

MD5 735f011d5951607df38926017c71457b
SHA1 67ac16f69938611259342c3e958498a52adbeba5
SHA256 7a90d7e5129fe050f02a4a067d17ca9acfae7f154d68b6a3ab49dcca13b0a028
SHA512 a2a59a8bbfe7bf6d80dd6fa7aebe8d22cc1e0931587526672093b802d4d8986fd661e85df6363d8f7c47206e29606bfb30fdaeec09a02313e76062c112099be0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

MD5 735f011d5951607df38926017c71457b
SHA1 67ac16f69938611259342c3e958498a52adbeba5
SHA256 7a90d7e5129fe050f02a4a067d17ca9acfae7f154d68b6a3ab49dcca13b0a028
SHA512 a2a59a8bbfe7bf6d80dd6fa7aebe8d22cc1e0931587526672093b802d4d8986fd661e85df6363d8f7c47206e29606bfb30fdaeec09a02313e76062c112099be0

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

MD5 735f011d5951607df38926017c71457b
SHA1 67ac16f69938611259342c3e958498a52adbeba5
SHA256 7a90d7e5129fe050f02a4a067d17ca9acfae7f154d68b6a3ab49dcca13b0a028
SHA512 a2a59a8bbfe7bf6d80dd6fa7aebe8d22cc1e0931587526672093b802d4d8986fd661e85df6363d8f7c47206e29606bfb30fdaeec09a02313e76062c112099be0

memory/2460-50-0x0000000000E00000-0x0000000000E0A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

memory/1004-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1004-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1004-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1004-69-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1004-70-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/2856-77-0x00000000011D0000-0x000000000120E000-memory.dmp

memory/1368-78-0x00000000027C0000-0x00000000027D6000-memory.dmp

memory/1004-80-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE64.exe

MD5 abd3cb83e6c527fabddde899b08e6cf4
SHA1 ce26b1a7bf7e064b7f673ce0f53591966cf5ee27
SHA256 64b54692a0d2e91ca597edbe0ae79c9f02e85f9034222b551cc34756945bc8f5
SHA512 19667fff95bdee26ca0051e78f0253879b8ead7122008c32b7eeb708930a7fefe4fce0b81eeba1fff66e8f548d875bf72aeea1050dae8d8a45884459c712fe3c

\Users\Admin\AppData\Local\Temp\EE64.exe

MD5 abd3cb83e6c527fabddde899b08e6cf4
SHA1 ce26b1a7bf7e064b7f673ce0f53591966cf5ee27
SHA256 64b54692a0d2e91ca597edbe0ae79c9f02e85f9034222b551cc34756945bc8f5
SHA512 19667fff95bdee26ca0051e78f0253879b8ead7122008c32b7eeb708930a7fefe4fce0b81eeba1fff66e8f548d875bf72aeea1050dae8d8a45884459c712fe3c

C:\Users\Admin\AppData\Local\Temp\EE64.exe

MD5 abd3cb83e6c527fabddde899b08e6cf4
SHA1 ce26b1a7bf7e064b7f673ce0f53591966cf5ee27
SHA256 64b54692a0d2e91ca597edbe0ae79c9f02e85f9034222b551cc34756945bc8f5
SHA512 19667fff95bdee26ca0051e78f0253879b8ead7122008c32b7eeb708930a7fefe4fce0b81eeba1fff66e8f548d875bf72aeea1050dae8d8a45884459c712fe3c

C:\Users\Admin\AppData\Local\Temp\EEF2.exe

MD5 001189d3fe945acb0d6fe4ce050ae07a
SHA1 a390d3612b6bb88fcfb3c743ee266b8305451e01
SHA256 6b6610e6ef9952c3d45ff6d84da9cadbd6bab13c442ebdc59fa17433d630a6f2
SHA512 13c83d6cbfea9756fdaa55caa98c18cebbbf97e2a5ea6bbbd2b4ec074c1ad7be6938bed6fe9c4a22b38bbb39e41292827b64df077f9d64d39c16f6390fe5a1f7

C:\Users\Admin\AppData\Local\Temp\EEF2.exe

MD5 001189d3fe945acb0d6fe4ce050ae07a
SHA1 a390d3612b6bb88fcfb3c743ee266b8305451e01
SHA256 6b6610e6ef9952c3d45ff6d84da9cadbd6bab13c442ebdc59fa17433d630a6f2
SHA512 13c83d6cbfea9756fdaa55caa98c18cebbbf97e2a5ea6bbbd2b4ec074c1ad7be6938bed6fe9c4a22b38bbb39e41292827b64df077f9d64d39c16f6390fe5a1f7

\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

MD5 6e63e357e2be3aa454c2469a17ebd712
SHA1 76d862b3d26cd3ff8e20d5b58e400a9c030defe8
SHA256 0a643c998996d0265e1dc1f37c48161c8b7d7df023e5fd89539ed52c280a4c0c
SHA512 d3088b4d47cff49a3bcbe1337862c9555411f5a4446af73749f8ac3d7da9b0d795f288fc1b6a4c037714fa5aa42f9d7ae03cac4375a5d83f83a8b011cf5f13c7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

MD5 6e63e357e2be3aa454c2469a17ebd712
SHA1 76d862b3d26cd3ff8e20d5b58e400a9c030defe8
SHA256 0a643c998996d0265e1dc1f37c48161c8b7d7df023e5fd89539ed52c280a4c0c
SHA512 d3088b4d47cff49a3bcbe1337862c9555411f5a4446af73749f8ac3d7da9b0d795f288fc1b6a4c037714fa5aa42f9d7ae03cac4375a5d83f83a8b011cf5f13c7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

MD5 6e63e357e2be3aa454c2469a17ebd712
SHA1 76d862b3d26cd3ff8e20d5b58e400a9c030defe8
SHA256 0a643c998996d0265e1dc1f37c48161c8b7d7df023e5fd89539ed52c280a4c0c
SHA512 d3088b4d47cff49a3bcbe1337862c9555411f5a4446af73749f8ac3d7da9b0d795f288fc1b6a4c037714fa5aa42f9d7ae03cac4375a5d83f83a8b011cf5f13c7

C:\Users\Admin\AppData\Local\Temp\F01B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

MD5 6e63e357e2be3aa454c2469a17ebd712
SHA1 76d862b3d26cd3ff8e20d5b58e400a9c030defe8
SHA256 0a643c998996d0265e1dc1f37c48161c8b7d7df023e5fd89539ed52c280a4c0c
SHA512 d3088b4d47cff49a3bcbe1337862c9555411f5a4446af73749f8ac3d7da9b0d795f288fc1b6a4c037714fa5aa42f9d7ae03cac4375a5d83f83a8b011cf5f13c7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

MD5 e4bec05c11fa60451b75b002a37787a6
SHA1 1e845fb313f31b740de7e62ac83cd4a9335f4ca1
SHA256 4779096c8171f491747f12b09b34feef5bb03aa898e66982f05423939bdc1f63
SHA512 e2dbad68440eaec97dbe9d49013366724e0f44ee5869b87f2233ba0062fdaf2968e99ae7fd456a7b065681ad9110ec0ce82b94afbaec5d5e3df7da0f995a65e0

\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

MD5 e4bec05c11fa60451b75b002a37787a6
SHA1 1e845fb313f31b740de7e62ac83cd4a9335f4ca1
SHA256 4779096c8171f491747f12b09b34feef5bb03aa898e66982f05423939bdc1f63
SHA512 e2dbad68440eaec97dbe9d49013366724e0f44ee5869b87f2233ba0062fdaf2968e99ae7fd456a7b065681ad9110ec0ce82b94afbaec5d5e3df7da0f995a65e0

C:\Users\Admin\AppData\Local\Temp\F0B8.exe

MD5 3a8986a25e4a999487b21a0082159f6e
SHA1 bddd0e748d580c594f8f4609eb5306510c145474
SHA256 dbf481c173a517b677b2773485c7fbc175ccf67186343929b210ee1c367d1286
SHA512 30f9140fd1c822c1917c5c289ca82e6cfa71ca12f318d4b4c01bec62b6451740c3b2f8791c633d339a3361795b9f8339364530f08e402964a042248b3dfc9e13

C:\Users\Admin\AppData\Local\Temp\F0B8.exe

MD5 3a8986a25e4a999487b21a0082159f6e
SHA1 bddd0e748d580c594f8f4609eb5306510c145474
SHA256 dbf481c173a517b677b2773485c7fbc175ccf67186343929b210ee1c367d1286
SHA512 30f9140fd1c822c1917c5c289ca82e6cfa71ca12f318d4b4c01bec62b6451740c3b2f8791c633d339a3361795b9f8339364530f08e402964a042248b3dfc9e13

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

MD5 e4bec05c11fa60451b75b002a37787a6
SHA1 1e845fb313f31b740de7e62ac83cd4a9335f4ca1
SHA256 4779096c8171f491747f12b09b34feef5bb03aa898e66982f05423939bdc1f63
SHA512 e2dbad68440eaec97dbe9d49013366724e0f44ee5869b87f2233ba0062fdaf2968e99ae7fd456a7b065681ad9110ec0ce82b94afbaec5d5e3df7da0f995a65e0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

MD5 e4bec05c11fa60451b75b002a37787a6
SHA1 1e845fb313f31b740de7e62ac83cd4a9335f4ca1
SHA256 4779096c8171f491747f12b09b34feef5bb03aa898e66982f05423939bdc1f63
SHA512 e2dbad68440eaec97dbe9d49013366724e0f44ee5869b87f2233ba0062fdaf2968e99ae7fd456a7b065681ad9110ec0ce82b94afbaec5d5e3df7da0f995a65e0

C:\Users\Admin\AppData\Local\Temp\F01B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\F2DB.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

MD5 eafd6d5a85421108e737442c46c00c4e
SHA1 b8c4036672f16fd31f09fc2f4877e69024eb6ee3
SHA256 2362ddc559aadf041fedd781cb2d091cf740fce1ca65dcf426505b0d8627146c
SHA512 0aa058c553f7d67deb9e07f55a1e05605c78378ff843a32c110cafca09b9457df78c3f783a1031510f9447fe197aee7a9fab2d4ab75b88272f566325e292605f

memory/2912-142-0x00000000003D0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\F51D.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

MD5 eafd6d5a85421108e737442c46c00c4e
SHA1 b8c4036672f16fd31f09fc2f4877e69024eb6ee3
SHA256 2362ddc559aadf041fedd781cb2d091cf740fce1ca65dcf426505b0d8627146c
SHA512 0aa058c553f7d67deb9e07f55a1e05605c78378ff843a32c110cafca09b9457df78c3f783a1031510f9447fe197aee7a9fab2d4ab75b88272f566325e292605f

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

MD5 eafd6d5a85421108e737442c46c00c4e
SHA1 b8c4036672f16fd31f09fc2f4877e69024eb6ee3
SHA256 2362ddc559aadf041fedd781cb2d091cf740fce1ca65dcf426505b0d8627146c
SHA512 0aa058c553f7d67deb9e07f55a1e05605c78378ff843a32c110cafca09b9457df78c3f783a1031510f9447fe197aee7a9fab2d4ab75b88272f566325e292605f

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\3st9xC37.exe

MD5 de18d3812f7845a4b175241b5b44152e
SHA1 368392300765a33d814c542fc4b496510e481b73
SHA256 caee6546fe64adb58984fc4fb1b2d380fb9f60a505de916a2c8912592132d0f8
SHA512 85d7e61fefd8a02b7c21af15ae50c1198cbf04e2ce6f8dc7bf74b65db7ad25c3113c2e568b1398bbc7ea3ed475845881af49ca9961ced2fd5cd0a1280784617d

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

MD5 eafd6d5a85421108e737442c46c00c4e
SHA1 b8c4036672f16fd31f09fc2f4877e69024eb6ee3
SHA256 2362ddc559aadf041fedd781cb2d091cf740fce1ca65dcf426505b0d8627146c
SHA512 0aa058c553f7d67deb9e07f55a1e05605c78378ff843a32c110cafca09b9457df78c3f783a1031510f9447fe197aee7a9fab2d4ab75b88272f566325e292605f

C:\Users\Admin\AppData\Local\Temp\F51D.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\F676.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\F703.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\F676.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

MD5 1a40893ddfab954173f8be6aafc00836
SHA1 2d636b34b62eb4ec2f1d6086823fc6800794ecdf
SHA256 172ec12d8a8d9b142e384d94e19be5ab04ffd5274d755986891526d4012c27d1
SHA512 5596dff6abbd4bdb543f46173d07b4f15a28630fa8a7ebd6d5b192d374826faad9fe4362e1433f0f7e80fb696689d1d6263aacecfaf80aec0d8439cafe903e90

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

MD5 1a40893ddfab954173f8be6aafc00836
SHA1 2d636b34b62eb4ec2f1d6086823fc6800794ecdf
SHA256 172ec12d8a8d9b142e384d94e19be5ab04ffd5274d755986891526d4012c27d1
SHA512 5596dff6abbd4bdb543f46173d07b4f15a28630fa8a7ebd6d5b192d374826faad9fe4362e1433f0f7e80fb696689d1d6263aacecfaf80aec0d8439cafe903e90

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

MD5 1a40893ddfab954173f8be6aafc00836
SHA1 2d636b34b62eb4ec2f1d6086823fc6800794ecdf
SHA256 172ec12d8a8d9b142e384d94e19be5ab04ffd5274d755986891526d4012c27d1
SHA512 5596dff6abbd4bdb543f46173d07b4f15a28630fa8a7ebd6d5b192d374826faad9fe4362e1433f0f7e80fb696689d1d6263aacecfaf80aec0d8439cafe903e90

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

MD5 8d107aceb5cc2945bf0b1e107b1e2de7
SHA1 ce93a24ff8e704bcda0141790209440c03a4ae30
SHA256 7513a7aef4d5b46ad860049ed265f30c173e190d9521461bce9f9be844d6b7c0
SHA512 62a3a029728dde1aa58adb587b7eabc9e50fa6c11fd47e1ea5ddc072287fb8382614943678339221da3b36d3a7ac0e0ed3258ed0e3a7f3cec1ab45529e49ef12

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

MD5 8d107aceb5cc2945bf0b1e107b1e2de7
SHA1 ce93a24ff8e704bcda0141790209440c03a4ae30
SHA256 7513a7aef4d5b46ad860049ed265f30c173e190d9521461bce9f9be844d6b7c0
SHA512 62a3a029728dde1aa58adb587b7eabc9e50fa6c11fd47e1ea5ddc072287fb8382614943678339221da3b36d3a7ac0e0ed3258ed0e3a7f3cec1ab45529e49ef12

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

MD5 8d107aceb5cc2945bf0b1e107b1e2de7
SHA1 ce93a24ff8e704bcda0141790209440c03a4ae30
SHA256 7513a7aef4d5b46ad860049ed265f30c173e190d9521461bce9f9be844d6b7c0
SHA512 62a3a029728dde1aa58adb587b7eabc9e50fa6c11fd47e1ea5ddc072287fb8382614943678339221da3b36d3a7ac0e0ed3258ed0e3a7f3cec1ab45529e49ef12

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

MD5 1a40893ddfab954173f8be6aafc00836
SHA1 2d636b34b62eb4ec2f1d6086823fc6800794ecdf
SHA256 172ec12d8a8d9b142e384d94e19be5ab04ffd5274d755986891526d4012c27d1
SHA512 5596dff6abbd4bdb543f46173d07b4f15a28630fa8a7ebd6d5b192d374826faad9fe4362e1433f0f7e80fb696689d1d6263aacecfaf80aec0d8439cafe903e90

memory/3056-194-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/2912-195-0x0000000000530000-0x000000000054E000-memory.dmp

memory/2912-199-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2972-200-0x0000000000600000-0x000000000065A000-memory.dmp

memory/2912-201-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-205-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-210-0x0000000000530000-0x0000000000548000-memory.dmp

memory/1660-213-0x0000000000CA0000-0x0000000000CFA000-memory.dmp

memory/2912-212-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-215-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-217-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-219-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-227-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-224-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-229-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-231-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-233-0x0000000000530000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\135D.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/1996-245-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2912-247-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-235-0x0000000000530000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\181F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\19D6.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/1996-260-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2912-258-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2912-261-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2712-264-0x00000000009F0000-0x0000000000E48000-memory.dmp

memory/1960-263-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2496-267-0x0000000000240000-0x000000000027E000-memory.dmp

memory/2912-265-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2912-269-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2912-271-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/3056-273-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/1572-280-0x00000000049D0000-0x0000000004DC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/3056-276-0x0000000002460000-0x00000000024A0000-memory.dmp

memory/2972-281-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1660-284-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2972-285-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2972-288-0x0000000007150000-0x0000000007190000-memory.dmp

memory/2712-289-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/1660-290-0x0000000007240000-0x0000000007280000-memory.dmp

memory/2276-292-0x0000000000FC0000-0x00000000010DB000-memory.dmp

memory/1960-293-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2496-294-0x0000000074490000-0x0000000074B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1572-298-0x00000000049D0000-0x0000000004DC8000-memory.dmp

memory/1572-302-0x0000000004DD0000-0x00000000056BB000-memory.dmp

memory/2496-304-0x0000000007180000-0x00000000071C0000-memory.dmp

memory/2912-303-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2912-305-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/1572-306-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1572-307-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2816-308-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1304-311-0x0000000000C10000-0x0000000000C4E000-memory.dmp

memory/1572-312-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2496-340-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/3056-352-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/3056-354-0x0000000002460000-0x00000000024A0000-memory.dmp

memory/1660-357-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2972-359-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2972-360-0x0000000007150000-0x0000000007190000-memory.dmp

memory/1660-361-0x0000000007240000-0x0000000007280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9E35.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2496-376-0x0000000007180000-0x00000000071C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA16E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af5fdb8ce01cce488cd8c1887d76293f
SHA1 8c0192b84880b6dcfc9c09c33d98cc83e4622f8e
SHA256 ed02059f4f69512e0c41a5700c0a575e85ea822c6e194469e9b7389189d16dd5
SHA512 6d8ea2a82054c9070a643e064cd6105160417152216a1e6ed1c9ab686527981b31922b1d4f57d870ed65809a69657d076490a391d6c8162e4b2ea712e56e617a

memory/1572-433-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0410e020ad97e88a275bfeee0084df9b
SHA1 6df890da4f756248ec2f366fa6f2d5fce39515c8
SHA256 5560bd31ee944530d9c50fe231e52bab6d470acd7dc6209539d21dd8c61f5a66
SHA512 bd9cc191d63fae266eae794138880c69e623a92fddb421c3af750875ae1db8652160d6f97f43f5a30ab8cfff536aec1b0135c6cd588ad5470344134c625dbab9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dccad8ec08c4518b8b44a5b0f4400c9
SHA1 032ef8bf9029c693f4881fd48e815094fd52f153
SHA256 c534a99bef6e809f53d2e35cf4b51f49ee4f515262ba6ecec4873f918db60604
SHA512 57912e749db19409822840e0cc98d9eaacc0392d6244eb0258148d775c80993c55c9a853b7609b3e17d1a509c209910bac5190af47f319b17ac8e3cb26ade287

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

MD5 282839c4a6f8698881ec8e988c8528e4
SHA1 4262f40b8af52ea3b38644bcb6a0c681548225d1
SHA256 e6e52207e2d94a4835d7bb179dfb5931bbc83d8f5c9d7693e0c1818d8dabbaf0
SHA512 066b09faccec5c56c708e98e20bcfaad36a15c35740b8f6c974d529e5dfa887cde4e273f21c06607fdd70458804c22d9be86a8ad97b71168b97ddc90860f8fa7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

MD5 f02b76bfd6055df0d880bf655b413dfa
SHA1 5e7d3a2cd417a20a13c521ececdd73785a01e1ec
SHA256 49ed95035f613a90e9364a9bf733da44a45ed81c343f84af0e95c01f98edc4ae
SHA512 63d27f41a1b04b2415f8fc6d55403eb825e7ddf33a3639b5ca2077a94887e6a3e25d90a72b5584745a63cf4a77e2b09c9faaad6bd30f2b0238c3a6fc650da19a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14d4da658f562fa8141c4a6f2eb1d48a
SHA1 89de896dbb6a6d7351d5dfa1e7f68377de10c15b
SHA256 d18d623e8a4574ffd2abdaacc9792d689750e909cbca89285d77185507cee16f
SHA512 349ce5aa9289d1a201366a143e1be8bb125680a7684b09372ca0619d2586d5525ca42f79eb550b6e711cabfb5a303af9bae208f841cea13c6b1183da8cdd7b9d

memory/1572-891-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b0b070bb72653cdc8853a486b3f6b8
SHA1 a73768bf633b04becbf8990f42d437c0e5d65319
SHA256 b5e576f21db6df32581205185fe77bf264fb94a6e8f1f39cb884f5ac6b0c3692
SHA512 314c433279266083e8ac274df71f633f723396b605e28d2127b6e960ab72ceb391eb2ddab5c03beaf64811996548f23dc8008622c5560b85d03228bfe691c6a3

memory/2972-948-0x0000000074490000-0x0000000074B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5169c1f7ace9fb9d02e272c9744caca8
SHA1 0831a63faaa3ada122e67d2e888966b11091a73d
SHA256 328e10ac8c1982f2130aba32b41521202f45329b8a70848b9dde954b13263e35
SHA512 07b6870e99084450fc2e6d7effdffaa004e82c2f4fb5d52456981e9a16cbedbfdd927d666f87a6443629c63c308497e3d61195068b725da13e002ca397bdb91e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00c6c5447042b3b29221115c783cf0c1
SHA1 c222a8d1b0140006f3efb20e42c8fbf54208fb98
SHA256 09fc1750af9293656ee712055f42404237eb72dd3b9fd2c7330f66df1786a9d2
SHA512 91108f51633073f47b0f996c520a46daf25bde154ab9da7da68d4c3097e59fccc34acdd18272010103f92530a937410287650828211f26e698ace2bf7ae275f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac0a284bb45de22fa006367fb0b828c4
SHA1 612914a85267a0c2ce3011b778a21b8776b3c0b0
SHA256 36ec6aba728a9b5681f5a91a25e97736dc8dc62dcfaad98582e6aabe4c8093a0
SHA512 5158d7318f66328d86ee3f84b02549db2381a9eef0f6f65b50f8c7076a3867fd1ed4f8b447bd83ae1d0d26f9eedc5787240d6b763568b31ff0e53164e0077c26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5d4853b78df8b3f9a6ec0e3135e9423
SHA1 d081b78c5555affa0d8dce4f7997b81fc9744983
SHA256 99883073fa8df5df8b34dc881e87e3e7fe70334b68cba08bc1e162c448aea3ee
SHA512 f808437e2c8a397a5cc0f69eda17adfce312a4fa24e61af1f49e638ee13d688265f1a4e1625fa4d9f092985d9eab80fc984cfaee471ad2c4beac7cb0f8d03d27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e416ecaee4881031ec50b9eaa256544
SHA1 ecf9bf4465e962a42c942bd4851cdd426f175e50
SHA256 868b6aa027656366545f89ea3a55261b2f1ce2b3dfc8afbf5a998026efc89551
SHA512 f4642e7535a4cae809cfca994d74d94314743d4195be5aa6b46942400ba06bb6a9d4d266c6bf45eae6ebe27962c6e9283384dd33e2ca5a7b264e0ed2ab4ae82e

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 16:50

Reported

2023-10-18 16:53

Platform

win10v2004-20230915-en

Max time kernel

130s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4720.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\26F1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2130.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2E46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3741.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4720.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4AEA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ED3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\53E5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2sh993Wh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2579.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1FB8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\4ED3.exe'\"" C:\Users\Admin\AppData\Local\Temp\4ED3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2579.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2E46.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 5052 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 5052 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe
PID 1872 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 1872 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 1872 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe
PID 3852 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 3852 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 3852 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe
PID 1644 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 1644 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 1644 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe
PID 4348 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 4348 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 4348 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe
PID 4348 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 4348 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 4348 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe
PID 1644 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 1644 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 1644 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe
PID 1968 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1968 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1968 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1968 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1968 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1968 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3852 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 3852 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 3852 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe
PID 3196 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe
PID 3196 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe
PID 3196 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe
PID 4940 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe
PID 4940 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe
PID 4940 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\1FB8.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe
PID 3196 wrote to memory of 3264 N/A N/A C:\Users\Admin\AppData\Local\Temp\2130.exe
PID 3196 wrote to memory of 3264 N/A N/A C:\Users\Admin\AppData\Local\Temp\2130.exe
PID 3196 wrote to memory of 3264 N/A N/A C:\Users\Admin\AppData\Local\Temp\2130.exe
PID 3552 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe
PID 3552 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe
PID 3552 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe
PID 4224 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe
PID 4224 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe
PID 4224 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe
PID 3196 wrote to memory of 4108 N/A N/A C:\Windows\system32\cmd.exe
PID 3196 wrote to memory of 4108 N/A N/A C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe
PID 2176 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe
PID 2176 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe
PID 4520 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe
PID 4520 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe
PID 4520 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe
PID 3196 wrote to memory of 3440 N/A N/A C:\Users\Admin\AppData\Local\Temp\23F1.exe
PID 3196 wrote to memory of 3440 N/A N/A C:\Users\Admin\AppData\Local\Temp\23F1.exe
PID 3196 wrote to memory of 3440 N/A N/A C:\Users\Admin\AppData\Local\Temp\23F1.exe
PID 3196 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\2579.exe
PID 3196 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\2579.exe
PID 3196 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\2579.exe
PID 3196 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\26F1.exe
PID 3196 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\26F1.exe
PID 3196 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\26F1.exe
PID 4108 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4108 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe

"C:\Users\Admin\AppData\Local\Temp\a5050402ceb0a865b0ae6d146af53779.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

C:\Users\Admin\AppData\Local\Temp\1FB8.exe

C:\Users\Admin\AppData\Local\Temp\1FB8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

C:\Users\Admin\AppData\Local\Temp\2130.exe

C:\Users\Admin\AppData\Local\Temp\2130.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2298.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

C:\Users\Admin\AppData\Local\Temp\23F1.exe

C:\Users\Admin\AppData\Local\Temp\23F1.exe

C:\Users\Admin\AppData\Local\Temp\2579.exe

C:\Users\Admin\AppData\Local\Temp\2579.exe

C:\Users\Admin\AppData\Local\Temp\26F1.exe

C:\Users\Admin\AppData\Local\Temp\26F1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\2B28.exe

C:\Users\Admin\AppData\Local\Temp\2B28.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd219146f8,0x7ffd21914708,0x7ffd21914718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\2E46.exe

C:\Users\Admin\AppData\Local\Temp\2E46.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\30A8.exe

C:\Users\Admin\AppData\Local\Temp\30A8.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\3741.exe

C:\Users\Admin\AppData\Local\Temp\3741.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd219146f8,0x7ffd21914708,0x7ffd21914718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8483622182814495084,17087554841966486218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\4720.exe

C:\Users\Admin\AppData\Local\Temp\4720.exe

C:\Users\Admin\AppData\Local\Temp\4AEA.exe

C:\Users\Admin\AppData\Local\Temp\4AEA.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2B28.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\4ED3.exe

C:\Users\Admin\AppData\Local\Temp\4ED3.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd219146f8,0x7ffd21914708,0x7ffd21914718

C:\Users\Admin\AppData\Local\Temp\53E5.exe

C:\Users\Admin\AppData\Local\Temp\53E5.exe

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\57BE.exe

C:\Users\Admin\AppData\Local\Temp\57BE.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2B28.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd219146f8,0x7ffd21914708,0x7ffd21914718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6825728044153554580,13456535974440373288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2sh993Wh.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2sh993Wh.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5604 -ip 5604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 540

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
IT 185.196.9.65:80 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 pastebin.com udp
FI 77.91.124.55:19071 tcp
US 104.26.12.31:443 api.ip.sb tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
DE 168.119.126.250:19180 tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 54.72.174.172:443 mscom.demdex.net tcp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 250.126.119.168.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 172.174.72.54.in-addr.arpa udp
US 8.8.8.8:53 h2o.activebuy.top udp
FI 95.217.243.178:8443 h2o.activebuy.top tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 178.243.217.95.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.9:443 browser.events.data.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 20.189.173.9:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 44ef2404-9ee3-4239-84d8-e7d5c12cb55d.uuid.statsexplorer.org udp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server14.statsexplorer.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 74.125.128.127:19302 stun.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

MD5 dc37243c4ed09c3837a7a5c924f5c896
SHA1 b0ea4e503d3fdda1ced01561826ef17763aa2905
SHA256 9b571b455210053b1dbeeba111c8f74e4a59a10fb0ea867fba8a18c1651fbfcd
SHA512 8aa656f48d00c439f8a491624d284b8bd5b39f9db05c1141b7351b72f4a8f5f76553e6c91fc4f9e24f9147ce86bcb5de04dd16aecc737301cd4769a87e4d684d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh2KC83.exe

MD5 dc37243c4ed09c3837a7a5c924f5c896
SHA1 b0ea4e503d3fdda1ced01561826ef17763aa2905
SHA256 9b571b455210053b1dbeeba111c8f74e4a59a10fb0ea867fba8a18c1651fbfcd
SHA512 8aa656f48d00c439f8a491624d284b8bd5b39f9db05c1141b7351b72f4a8f5f76553e6c91fc4f9e24f9147ce86bcb5de04dd16aecc737301cd4769a87e4d684d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

MD5 044f3d4cccda079733c83f6cf816ae16
SHA1 61ae1d263ed6012f85c5b91c98785e64ee4d0d9d
SHA256 bb3aabcf7d896bb6d04dbaac9d0ca627b22da37a2a686a4d3cf8ad6c83d8f522
SHA512 ae1f98fe31b0b2d10312d665dcc0ad28be819c1d00156415cd8c306ad8996708e02b455e67c13481149c25f541c6f4eba303f56673d79120d959cb180199d73c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wb0vP51.exe

MD5 044f3d4cccda079733c83f6cf816ae16
SHA1 61ae1d263ed6012f85c5b91c98785e64ee4d0d9d
SHA256 bb3aabcf7d896bb6d04dbaac9d0ca627b22da37a2a686a4d3cf8ad6c83d8f522
SHA512 ae1f98fe31b0b2d10312d665dcc0ad28be819c1d00156415cd8c306ad8996708e02b455e67c13481149c25f541c6f4eba303f56673d79120d959cb180199d73c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

MD5 e301bed7b87d6c225e5a2ffe2576a7e4
SHA1 52eac9b55a9b076060404699ea9ea79364e6692c
SHA256 a7b1376708d8d6718b7a63acf11d83c15b890607f9fed190ce9d4606bc27dbcd
SHA512 0249d96304096f144c1bffbd80063b600ee610d7681e63d17543ddb6490b3bf792b68888dea8d9f86c1bcfbda1753848920d9ddcfa44e7070a297714cc778256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xk7BG90.exe

MD5 e301bed7b87d6c225e5a2ffe2576a7e4
SHA1 52eac9b55a9b076060404699ea9ea79364e6692c
SHA256 a7b1376708d8d6718b7a63acf11d83c15b890607f9fed190ce9d4606bc27dbcd
SHA512 0249d96304096f144c1bffbd80063b600ee610d7681e63d17543ddb6490b3bf792b68888dea8d9f86c1bcfbda1753848920d9ddcfa44e7070a297714cc778256

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

MD5 1ad120e8168377fec9878bb0104d5689
SHA1 9cc8e371950cc6a376e2b79cf3f645c275be3af8
SHA256 fffbaba1b4d01832e95942a13812e4a77ac034a38301a8715f1147f6c4ea6881
SHA512 56f6ce07b5c43738fb0cc4eea5891e8b199820256781af5ce7971991b4e8605fe15492fd93fcf644dad0dd71939b498830a935e65122bb1d4fbed3bfd66aed7a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CP3Of07.exe

MD5 1ad120e8168377fec9878bb0104d5689
SHA1 9cc8e371950cc6a376e2b79cf3f645c275be3af8
SHA256 fffbaba1b4d01832e95942a13812e4a77ac034a38301a8715f1147f6c4ea6881
SHA512 56f6ce07b5c43738fb0cc4eea5891e8b199820256781af5ce7971991b4e8605fe15492fd93fcf644dad0dd71939b498830a935e65122bb1d4fbed3bfd66aed7a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

MD5 735f011d5951607df38926017c71457b
SHA1 67ac16f69938611259342c3e958498a52adbeba5
SHA256 7a90d7e5129fe050f02a4a067d17ca9acfae7f154d68b6a3ab49dcca13b0a028
SHA512 a2a59a8bbfe7bf6d80dd6fa7aebe8d22cc1e0931587526672093b802d4d8986fd661e85df6363d8f7c47206e29606bfb30fdaeec09a02313e76062c112099be0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uC49IO5.exe

MD5 735f011d5951607df38926017c71457b
SHA1 67ac16f69938611259342c3e958498a52adbeba5
SHA256 7a90d7e5129fe050f02a4a067d17ca9acfae7f154d68b6a3ab49dcca13b0a028
SHA512 a2a59a8bbfe7bf6d80dd6fa7aebe8d22cc1e0931587526672093b802d4d8986fd661e85df6363d8f7c47206e29606bfb30fdaeec09a02313e76062c112099be0

memory/4124-35-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

memory/4124-36-0x0000000074050000-0x0000000074800000-memory.dmp

memory/4124-37-0x0000000074050000-0x0000000074800000-memory.dmp

memory/4124-39-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nK6271.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3lC60CJ.exe

MD5 7c95e5d57f635ca970b10a8df879b8ba
SHA1 4cf916479053a57749a28f9bdea0e2d683504bc0
SHA256 85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
SHA512 a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9

memory/2720-46-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2720-47-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4GT227dh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/4152-51-0x0000000000550000-0x000000000058E000-memory.dmp

memory/4152-52-0x0000000074050000-0x0000000074800000-memory.dmp

memory/4152-53-0x0000000007810000-0x0000000007DB4000-memory.dmp

memory/4152-54-0x0000000007340000-0x00000000073D2000-memory.dmp

memory/4152-55-0x0000000007480000-0x0000000007490000-memory.dmp

memory/4152-56-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/3196-57-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

memory/2720-59-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4152-61-0x00000000083E0000-0x00000000089F8000-memory.dmp

memory/4152-62-0x0000000074050000-0x0000000074800000-memory.dmp

memory/4152-63-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

memory/4152-64-0x0000000007480000-0x0000000007490000-memory.dmp

memory/4152-65-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4152-66-0x0000000007750000-0x000000000778C000-memory.dmp

memory/4152-67-0x0000000007790000-0x00000000077DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FB8.exe

MD5 abd3cb83e6c527fabddde899b08e6cf4
SHA1 ce26b1a7bf7e064b7f673ce0f53591966cf5ee27
SHA256 64b54692a0d2e91ca597edbe0ae79c9f02e85f9034222b551cc34756945bc8f5
SHA512 19667fff95bdee26ca0051e78f0253879b8ead7122008c32b7eeb708930a7fefe4fce0b81eeba1fff66e8f548d875bf72aeea1050dae8d8a45884459c712fe3c

C:\Users\Admin\AppData\Local\Temp\1FB8.exe

MD5 abd3cb83e6c527fabddde899b08e6cf4
SHA1 ce26b1a7bf7e064b7f673ce0f53591966cf5ee27
SHA256 64b54692a0d2e91ca597edbe0ae79c9f02e85f9034222b551cc34756945bc8f5
SHA512 19667fff95bdee26ca0051e78f0253879b8ead7122008c32b7eeb708930a7fefe4fce0b81eeba1fff66e8f548d875bf72aeea1050dae8d8a45884459c712fe3c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

MD5 6e63e357e2be3aa454c2469a17ebd712
SHA1 76d862b3d26cd3ff8e20d5b58e400a9c030defe8
SHA256 0a643c998996d0265e1dc1f37c48161c8b7d7df023e5fd89539ed52c280a4c0c
SHA512 d3088b4d47cff49a3bcbe1337862c9555411f5a4446af73749f8ac3d7da9b0d795f288fc1b6a4c037714fa5aa42f9d7ae03cac4375a5d83f83a8b011cf5f13c7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dR2YP8pU.exe

MD5 6e63e357e2be3aa454c2469a17ebd712
SHA1 76d862b3d26cd3ff8e20d5b58e400a9c030defe8
SHA256 0a643c998996d0265e1dc1f37c48161c8b7d7df023e5fd89539ed52c280a4c0c
SHA512 d3088b4d47cff49a3bcbe1337862c9555411f5a4446af73749f8ac3d7da9b0d795f288fc1b6a4c037714fa5aa42f9d7ae03cac4375a5d83f83a8b011cf5f13c7

C:\Users\Admin\AppData\Local\Temp\2130.exe

MD5 001189d3fe945acb0d6fe4ce050ae07a
SHA1 a390d3612b6bb88fcfb3c743ee266b8305451e01
SHA256 6b6610e6ef9952c3d45ff6d84da9cadbd6bab13c442ebdc59fa17433d630a6f2
SHA512 13c83d6cbfea9756fdaa55caa98c18cebbbf97e2a5ea6bbbd2b4ec074c1ad7be6938bed6fe9c4a22b38bbb39e41292827b64df077f9d64d39c16f6390fe5a1f7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

MD5 e4bec05c11fa60451b75b002a37787a6
SHA1 1e845fb313f31b740de7e62ac83cd4a9335f4ca1
SHA256 4779096c8171f491747f12b09b34feef5bb03aa898e66982f05423939bdc1f63
SHA512 e2dbad68440eaec97dbe9d49013366724e0f44ee5869b87f2233ba0062fdaf2968e99ae7fd456a7b065681ad9110ec0ce82b94afbaec5d5e3df7da0f995a65e0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HN5cO8PA.exe

MD5 e4bec05c11fa60451b75b002a37787a6
SHA1 1e845fb313f31b740de7e62ac83cd4a9335f4ca1
SHA256 4779096c8171f491747f12b09b34feef5bb03aa898e66982f05423939bdc1f63
SHA512 e2dbad68440eaec97dbe9d49013366724e0f44ee5869b87f2233ba0062fdaf2968e99ae7fd456a7b065681ad9110ec0ce82b94afbaec5d5e3df7da0f995a65e0

C:\Users\Admin\AppData\Local\Temp\2130.exe

MD5 001189d3fe945acb0d6fe4ce050ae07a
SHA1 a390d3612b6bb88fcfb3c743ee266b8305451e01
SHA256 6b6610e6ef9952c3d45ff6d84da9cadbd6bab13c442ebdc59fa17433d630a6f2
SHA512 13c83d6cbfea9756fdaa55caa98c18cebbbf97e2a5ea6bbbd2b4ec074c1ad7be6938bed6fe9c4a22b38bbb39e41292827b64df077f9d64d39c16f6390fe5a1f7

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

MD5 eafd6d5a85421108e737442c46c00c4e
SHA1 b8c4036672f16fd31f09fc2f4877e69024eb6ee3
SHA256 2362ddc559aadf041fedd781cb2d091cf740fce1ca65dcf426505b0d8627146c
SHA512 0aa058c553f7d67deb9e07f55a1e05605c78378ff843a32c110cafca09b9457df78c3f783a1031510f9447fe197aee7a9fab2d4ab75b88272f566325e292605f

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Sy9Co2UD.exe

MD5 eafd6d5a85421108e737442c46c00c4e
SHA1 b8c4036672f16fd31f09fc2f4877e69024eb6ee3
SHA256 2362ddc559aadf041fedd781cb2d091cf740fce1ca65dcf426505b0d8627146c
SHA512 0aa058c553f7d67deb9e07f55a1e05605c78378ff843a32c110cafca09b9457df78c3f783a1031510f9447fe197aee7a9fab2d4ab75b88272f566325e292605f

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\3st9xC37.exe

MD5 de18d3812f7845a4b175241b5b44152e
SHA1 368392300765a33d814c542fc4b496510e481b73
SHA256 caee6546fe64adb58984fc4fb1b2d380fb9f60a505de916a2c8912592132d0f8
SHA512 85d7e61fefd8a02b7c21af15ae50c1198cbf04e2ce6f8dc7bf74b65db7ad25c3113c2e568b1398bbc7ea3ed475845881af49ca9961ced2fd5cd0a1280784617d

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

MD5 1a40893ddfab954173f8be6aafc00836
SHA1 2d636b34b62eb4ec2f1d6086823fc6800794ecdf
SHA256 172ec12d8a8d9b142e384d94e19be5ab04ffd5274d755986891526d4012c27d1
SHA512 5596dff6abbd4bdb543f46173d07b4f15a28630fa8a7ebd6d5b192d374826faad9fe4362e1433f0f7e80fb696689d1d6263aacecfaf80aec0d8439cafe903e90

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lY5yv6fw.exe

MD5 1a40893ddfab954173f8be6aafc00836
SHA1 2d636b34b62eb4ec2f1d6086823fc6800794ecdf
SHA256 172ec12d8a8d9b142e384d94e19be5ab04ffd5274d755986891526d4012c27d1
SHA512 5596dff6abbd4bdb543f46173d07b4f15a28630fa8a7ebd6d5b192d374826faad9fe4362e1433f0f7e80fb696689d1d6263aacecfaf80aec0d8439cafe903e90

C:\Users\Admin\AppData\Local\Temp\2298.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

MD5 8d107aceb5cc2945bf0b1e107b1e2de7
SHA1 ce93a24ff8e704bcda0141790209440c03a4ae30
SHA256 7513a7aef4d5b46ad860049ed265f30c173e190d9521461bce9f9be844d6b7c0
SHA512 62a3a029728dde1aa58adb587b7eabc9e50fa6c11fd47e1ea5ddc072287fb8382614943678339221da3b36d3a7ac0e0ed3258ed0e3a7f3cec1ab45529e49ef12

C:\Users\Admin\AppData\Local\Temp\23F1.exe

MD5 3a8986a25e4a999487b21a0082159f6e
SHA1 bddd0e748d580c594f8f4609eb5306510c145474
SHA256 dbf481c173a517b677b2773485c7fbc175ccf67186343929b210ee1c367d1286
SHA512 30f9140fd1c822c1917c5c289ca82e6cfa71ca12f318d4b4c01bec62b6451740c3b2f8791c633d339a3361795b9f8339364530f08e402964a042248b3dfc9e13

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Ro66pN3.exe

MD5 8d107aceb5cc2945bf0b1e107b1e2de7
SHA1 ce93a24ff8e704bcda0141790209440c03a4ae30
SHA256 7513a7aef4d5b46ad860049ed265f30c173e190d9521461bce9f9be844d6b7c0
SHA512 62a3a029728dde1aa58adb587b7eabc9e50fa6c11fd47e1ea5ddc072287fb8382614943678339221da3b36d3a7ac0e0ed3258ed0e3a7f3cec1ab45529e49ef12

C:\Users\Admin\AppData\Local\Temp\23F1.exe

MD5 3a8986a25e4a999487b21a0082159f6e
SHA1 bddd0e748d580c594f8f4609eb5306510c145474
SHA256 dbf481c173a517b677b2773485c7fbc175ccf67186343929b210ee1c367d1286
SHA512 30f9140fd1c822c1917c5c289ca82e6cfa71ca12f318d4b4c01bec62b6451740c3b2f8791c633d339a3361795b9f8339364530f08e402964a042248b3dfc9e13

C:\Users\Admin\AppData\Local\Temp\2579.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\2579.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/2396-127-0x0000000002360000-0x0000000002380000-memory.dmp

memory/2396-128-0x0000000074050000-0x0000000074800000-memory.dmp

memory/2396-131-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/2396-130-0x0000000002540000-0x000000000255E000-memory.dmp

memory/2396-129-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26F1.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\26F1.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2396-139-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-140-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-134-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/2396-142-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-144-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-146-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-148-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-150-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-152-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-155-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-160-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-162-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-165-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-167-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-169-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2396-173-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B28.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/2396-177-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2396-180-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B28.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\2E46.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\2E46.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/324-190-0x00000000020F0000-0x000000000214A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30A8.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\30A8.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3192-189-0x00000000005C0000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/324-201-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4888-204-0x0000000074050000-0x0000000074800000-memory.dmp

memory/4888-203-0x0000000000AE0000-0x0000000000B3A000-memory.dmp

memory/3192-195-0x0000000074050000-0x0000000074800000-memory.dmp

memory/3192-205-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4888-206-0x00000000053F0000-0x0000000005400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3741.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\3741.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/4888-224-0x0000000008480000-0x00000000084E6000-memory.dmp

\??\pipe\LOCAL\crashpad_3560_VHTZKRMVFVQZYLZU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d2f7cb8a764b9b3759f9c2ce813770dd
SHA1 f4e7aa2d0a96ffc76321f1829de1492e169dbb9f
SHA256 15b0908d90438ad37c90423ea7b99a2e57cdafbab2a8940f2b3623509fe7ff2b
SHA512 3dfc299b96088a1f036d2045d9bf6fb474740ba9803a4c4b5d2bd435fbed231cfebab7c42791e7fc0151f911fbd23a4b801a146984e69d75e61b84c6e2178d38

memory/2396-237-0x0000000074050000-0x0000000074800000-memory.dmp

memory/1680-247-0x0000000000210000-0x000000000032B000-memory.dmp

memory/3712-253-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0730abfe7f3c6d045ff24a88d8396bf5
SHA1 4a5d6903a7440d95de44d0dcd36081c6734ebb86
SHA256 7d8bebd046178dac313a5b75a9156830688f817a38a54e6f5a0430f3ced35a5e
SHA512 15b44724bbdcb8960dc4ee9cabf25b0388288efd5fc60f4e7fe177d3543abca6b41c60738f4c79d627832677b8d563ce2ace58c5244c1473e7cf47ea95474b52

memory/2396-272-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/2396-273-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/1680-274-0x0000000000210000-0x000000000032B000-memory.dmp

memory/3712-275-0x0000000074050000-0x0000000074800000-memory.dmp

memory/2396-276-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4720.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

C:\Users\Admin\AppData\Local\Temp\4720.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/5196-281-0x0000000000530000-0x0000000000988000-memory.dmp

memory/5196-283-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4AEA.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\4AEA.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/4888-308-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ED3.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\4ED3.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/3192-327-0x0000000074050000-0x0000000074800000-memory.dmp

memory/5268-330-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5268-334-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/5636-333-0x00000000004B0000-0x00000000004EE000-memory.dmp

memory/5196-335-0x0000000074050000-0x0000000074800000-memory.dmp

memory/5636-336-0x0000000074050000-0x0000000074800000-memory.dmp

memory/4888-345-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2396-346-0x0000000074050000-0x0000000074800000-memory.dmp

memory/5268-348-0x0000000074050000-0x0000000074800000-memory.dmp

memory/5268-349-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/5536-350-0x0000000004DC0000-0x00000000051C7000-memory.dmp

memory/3712-352-0x0000000074050000-0x0000000074800000-memory.dmp

memory/5536-355-0x00000000051D0000-0x0000000005ABB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 af59b6c43a19bb5500fdf96030deaa03
SHA1 c028640d90cbf1392ff7bcac2931c08b7f3879ec
SHA256 1c8074724c16a0bcf4a59607950ac090b68e3950d5de653ed44abadc0243a275
SHA512 49b51e43670925899aab05408b13ba30d050776bab1a14e8d141f9bf85d97de2ef2a5434c7d4e77fc98a697cf0f644191d4469d44b36c3bab6cd93481199588a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 69cb9204a37b79209a8be0725afd8f34
SHA1 2ec1fc3656c834707757d43361e494a0334c28ea
SHA256 21e1b76048db22643d92d6fc75145949a082580c08cda162a1e9f20557bf0931
SHA512 08dcb44142287cbc83e5ea04fde3df9a452fbf4f01750b4eea9a0fa92a850bec28788311ee6525d307d547888b0290cdfea12b9ca52e434f5e19d739bfbfc3fc

memory/3712-377-0x0000000005460000-0x0000000005470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

memory/5172-381-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5172-380-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5172-385-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5536-388-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5172-394-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4888-405-0x0000000009B50000-0x0000000009BC6000-memory.dmp

memory/3712-406-0x00000000093B0000-0x0000000009400000-memory.dmp

memory/4888-409-0x0000000009DA0000-0x0000000009F62000-memory.dmp

memory/4888-412-0x000000000A4A0000-0x000000000A9CC000-memory.dmp

memory/5268-411-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4888-414-0x0000000009CE0000-0x0000000009CFE000-memory.dmp

memory/5536-413-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 11d9568b16e766cb05f38915e282094b
SHA1 e2c6c737e5d53726795d816d226d5d01e80c2ee4
SHA256 e7c8b0c6d89748280449f795c0603c42459f94e742dd9cc38475b61710ab1f28
SHA512 7ab8c3951bfcbfc946969dbfeac75a4fc70a47edaf8b3aaa323da093a793234a0b1baccfb0ea3e9f2433a92e632734cb6726af31d6e453e5fa2ff369543d4e5e

memory/5536-435-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5604-447-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5604-448-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5604-450-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5536-457-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqr4pmqx.nmx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5536-481-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4