Malware Analysis Report

2025-08-05 19:01

Sample ID 231018-yrh6hsca72
Target 2C1D44E8AD9067E940192DAAD5D2F936.exe
SHA256 dfa0d9ce256f9eaa029de86119dd0ba890f8614e179fa2ec0644aff18cc0701e
Tags
amadey redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor infostealer persistence rat trojan dcrat glupteba microsoft discovery dropper evasion loader phishing rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfa0d9ce256f9eaa029de86119dd0ba890f8614e179fa2ec0644aff18cc0701e

Threat Level: Known bad

The file 2C1D44E8AD9067E940192DAAD5D2F936.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor infostealer persistence rat trojan dcrat glupteba microsoft discovery dropper evasion loader phishing rootkit spyware stealer

SectopRAT payload

Glupteba payload

RedLine payload

DcRat

Modifies Windows Defender Real-time Protection settings

SectopRAT

Amadey

RedLine

SmokeLoader

Glupteba

Modifies Windows Firewall

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

.NET Reactor proctector

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 20:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 20:01

Reported

2023-10-18 20:04

Platform

win7-20230831-en

Max time kernel

39s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2092 set thread context of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\SysWOW64\WerFault.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1184 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1896 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 1184 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5.exe
PID 1184 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5.exe
PID 1184 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5.exe
PID 1184 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2884 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe

"C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 72

C:\Users\Admin\AppData\Local\Temp\CC.exe

C:\Users\Admin\AppData\Local\Temp\CC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

C:\Users\Admin\AppData\Local\Temp\1E5.exe

C:\Users\Admin\AppData\Local\Temp\1E5.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\437.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

C:\Users\Admin\AppData\Local\Temp\503.exe

C:\Users\Admin\AppData\Local\Temp\503.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\60D.exe

C:\Users\Admin\AppData\Local\Temp\60D.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\727.exe

C:\Users\Admin\AppData\Local\Temp\727.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\B6C.exe

C:\Users\Admin\AppData\Local\Temp\B6C.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\126F.exe

C:\Users\Admin\AppData\Local\Temp\126F.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\2FCF.exe

C:\Users\Admin\AppData\Local\Temp\2FCF.exe

C:\Users\Admin\AppData\Local\Temp\4F71.exe

C:\Users\Admin\AppData\Local\Temp\4F71.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\857F.exe

C:\Users\Admin\AppData\Local\Temp\857F.exe

C:\Users\Admin\AppData\Local\Temp\A2DF.exe

C:\Users\Admin\AppData\Local\Temp\A2DF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 508

C:\Users\Admin\AppData\Local\Temp\D49A.exe

C:\Users\Admin\AppData\Local\Temp\D49A.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\E58C.exe

C:\Users\Admin\AppData\Local\Temp\E58C.exe

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {51EC1CA3-99DC-4D5F-9A4B-7EE967F7D585} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 www.facebook.com udp
TR 185.216.70.222:80 185.216.70.222 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
IT 185.196.9.65:80 tcp
NL 85.209.176.128:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 157.240.5.35:443 facebook.com tcp
US 157.240.5.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 157.240.5.35:443 fbcdn.net tcp
US 157.240.5.35:443 fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 fbsbx.com udp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 api.ip.sb udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 172.67.75.172:443 api.ip.sb tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 www.microsoft.com udp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

memory/2240-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2240-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2240-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2240-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2240-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2240-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-5-0x0000000002B00000-0x0000000002B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC.exe

MD5 16955aa756f27b09ce5afee49b0cff3d
SHA1 8b3325d2d3e7492fdd4b4d338c3a7fe6695d5a6b
SHA256 7ef1c88779b24385529bdb7851a24873b5f9a25636e8ca41d898701c542f5488
SHA512 941a72f9bd359dade16000dcd0c229929f8e245147a81f9a7c7ae92ed5d601950685392726e4feea9a92d2e1b19b2b26b4f323ba463589e31ad4199a1c2a4864

C:\Users\Admin\AppData\Local\Temp\CC.exe

MD5 16955aa756f27b09ce5afee49b0cff3d
SHA1 8b3325d2d3e7492fdd4b4d338c3a7fe6695d5a6b
SHA256 7ef1c88779b24385529bdb7851a24873b5f9a25636e8ca41d898701c542f5488
SHA512 941a72f9bd359dade16000dcd0c229929f8e245147a81f9a7c7ae92ed5d601950685392726e4feea9a92d2e1b19b2b26b4f323ba463589e31ad4199a1c2a4864

\Users\Admin\AppData\Local\Temp\CC.exe

MD5 16955aa756f27b09ce5afee49b0cff3d
SHA1 8b3325d2d3e7492fdd4b4d338c3a7fe6695d5a6b
SHA256 7ef1c88779b24385529bdb7851a24873b5f9a25636e8ca41d898701c542f5488
SHA512 941a72f9bd359dade16000dcd0c229929f8e245147a81f9a7c7ae92ed5d601950685392726e4feea9a92d2e1b19b2b26b4f323ba463589e31ad4199a1c2a4864

\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

MD5 9dc91c90f1081cce18c6c14973e82dca
SHA1 e8cf0962934193f2058ff3ca77c67f5becd04978
SHA256 6c30f060ff56625258523569350be1f9fb286010107ee22c5f0fcdebc4ca6332
SHA512 c6f94f23498369a896eb133ca3c160eaacac694022f11c75b2c8aef4365db2db421306739ee7d7ee1fa074a44829284f3a854c2e5be43acc83869e65c44b57c5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

MD5 9dc91c90f1081cce18c6c14973e82dca
SHA1 e8cf0962934193f2058ff3ca77c67f5becd04978
SHA256 6c30f060ff56625258523569350be1f9fb286010107ee22c5f0fcdebc4ca6332
SHA512 c6f94f23498369a896eb133ca3c160eaacac694022f11c75b2c8aef4365db2db421306739ee7d7ee1fa074a44829284f3a854c2e5be43acc83869e65c44b57c5

C:\Users\Admin\AppData\Local\Temp\1E5.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

MD5 9dc91c90f1081cce18c6c14973e82dca
SHA1 e8cf0962934193f2058ff3ca77c67f5becd04978
SHA256 6c30f060ff56625258523569350be1f9fb286010107ee22c5f0fcdebc4ca6332
SHA512 c6f94f23498369a896eb133ca3c160eaacac694022f11c75b2c8aef4365db2db421306739ee7d7ee1fa074a44829284f3a854c2e5be43acc83869e65c44b57c5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

MD5 9dc91c90f1081cce18c6c14973e82dca
SHA1 e8cf0962934193f2058ff3ca77c67f5becd04978
SHA256 6c30f060ff56625258523569350be1f9fb286010107ee22c5f0fcdebc4ca6332
SHA512 c6f94f23498369a896eb133ca3c160eaacac694022f11c75b2c8aef4365db2db421306739ee7d7ee1fa074a44829284f3a854c2e5be43acc83869e65c44b57c5

\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

MD5 c2fb604a2393f31e38ee739e63eec337
SHA1 322ee8dc72eda1bc77d1ed597a8cdf3d86ae884a
SHA256 9629fc63dda0e6e43ea7e80106a13edb79606308e537ad3fb93ce557470b1a73
SHA512 701c6c8c39c9cf145b7e2d5d501347e803f3f0a8f32d9a281fc5a2f4e5d857dd3646ba577c8771cf1230cde73cec70277ce55962f8d634aba84d2b11e7d5c75c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

MD5 c2fb604a2393f31e38ee739e63eec337
SHA1 322ee8dc72eda1bc77d1ed597a8cdf3d86ae884a
SHA256 9629fc63dda0e6e43ea7e80106a13edb79606308e537ad3fb93ce557470b1a73
SHA512 701c6c8c39c9cf145b7e2d5d501347e803f3f0a8f32d9a281fc5a2f4e5d857dd3646ba577c8771cf1230cde73cec70277ce55962f8d634aba84d2b11e7d5c75c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

MD5 c2fb604a2393f31e38ee739e63eec337
SHA1 322ee8dc72eda1bc77d1ed597a8cdf3d86ae884a
SHA256 9629fc63dda0e6e43ea7e80106a13edb79606308e537ad3fb93ce557470b1a73
SHA512 701c6c8c39c9cf145b7e2d5d501347e803f3f0a8f32d9a281fc5a2f4e5d857dd3646ba577c8771cf1230cde73cec70277ce55962f8d634aba84d2b11e7d5c75c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

MD5 c2fb604a2393f31e38ee739e63eec337
SHA1 322ee8dc72eda1bc77d1ed597a8cdf3d86ae884a
SHA256 9629fc63dda0e6e43ea7e80106a13edb79606308e537ad3fb93ce557470b1a73
SHA512 701c6c8c39c9cf145b7e2d5d501347e803f3f0a8f32d9a281fc5a2f4e5d857dd3646ba577c8771cf1230cde73cec70277ce55962f8d634aba84d2b11e7d5c75c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

MD5 6ba000c64a29c44479de6f4d3f585d08
SHA1 f4117a6be5d4b7f5d51e52a9757d814f9be67a85
SHA256 6aa73fe8f60d2520e9a4eb9aab61cc0070e85a845244993c6b0aa4409cb975c2
SHA512 f25ec5fb7dc9d183aee09d6faf8cf1004f6f01feec6ae3b52f51115a8ebd7a274c05ccb3485cf5fa853914571e03a90e033c844e9aac509e5710d632dc4f77ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

MD5 6ba000c64a29c44479de6f4d3f585d08
SHA1 f4117a6be5d4b7f5d51e52a9757d814f9be67a85
SHA256 6aa73fe8f60d2520e9a4eb9aab61cc0070e85a845244993c6b0aa4409cb975c2
SHA512 f25ec5fb7dc9d183aee09d6faf8cf1004f6f01feec6ae3b52f51115a8ebd7a274c05ccb3485cf5fa853914571e03a90e033c844e9aac509e5710d632dc4f77ed

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

MD5 6ba000c64a29c44479de6f4d3f585d08
SHA1 f4117a6be5d4b7f5d51e52a9757d814f9be67a85
SHA256 6aa73fe8f60d2520e9a4eb9aab61cc0070e85a845244993c6b0aa4409cb975c2
SHA512 f25ec5fb7dc9d183aee09d6faf8cf1004f6f01feec6ae3b52f51115a8ebd7a274c05ccb3485cf5fa853914571e03a90e033c844e9aac509e5710d632dc4f77ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ER1ys63.exe

MD5 697a740b5f88144667bcc87f39662c69
SHA1 0a1c306864b2942668cd314fba037ce35922dc49
SHA256 b6a722b7cf5a0a5bc864245846b3a0b9a4f0b7f61820f45d3332d13cce986a24
SHA512 ca490cb8d943da056e1a4fd1b5d51546d85b5385ef37a5434d5d525b6b49ade7ed39fa645994fb86274e04f7fa75c8be2764d75e36e58f6e3aa2246f539ee57d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

MD5 6ba000c64a29c44479de6f4d3f585d08
SHA1 f4117a6be5d4b7f5d51e52a9757d814f9be67a85
SHA256 6aa73fe8f60d2520e9a4eb9aab61cc0070e85a845244993c6b0aa4409cb975c2
SHA512 f25ec5fb7dc9d183aee09d6faf8cf1004f6f01feec6ae3b52f51115a8ebd7a274c05ccb3485cf5fa853914571e03a90e033c844e9aac509e5710d632dc4f77ed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

MD5 c21e0461fd9a26b7e114e1086855cb64
SHA1 438c7ae5e75d0760a69908649b8581fac233001a
SHA256 177cd4d4aeed795c2f14c7b9f51f53cb954bfa7fa4c0c8dc7efec6e05707288d
SHA512 ffd7b445f8eafdc0da4f9150011b722c74649cd6ba3728b02d2f9353d1a6004d5198f4a656537d07249b479f484723c40ec94b783c7b7026dde39983b93e3c4c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

MD5 c21e0461fd9a26b7e114e1086855cb64
SHA1 438c7ae5e75d0760a69908649b8581fac233001a
SHA256 177cd4d4aeed795c2f14c7b9f51f53cb954bfa7fa4c0c8dc7efec6e05707288d
SHA512 ffd7b445f8eafdc0da4f9150011b722c74649cd6ba3728b02d2f9353d1a6004d5198f4a656537d07249b479f484723c40ec94b783c7b7026dde39983b93e3c4c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

MD5 c21e0461fd9a26b7e114e1086855cb64
SHA1 438c7ae5e75d0760a69908649b8581fac233001a
SHA256 177cd4d4aeed795c2f14c7b9f51f53cb954bfa7fa4c0c8dc7efec6e05707288d
SHA512 ffd7b445f8eafdc0da4f9150011b722c74649cd6ba3728b02d2f9353d1a6004d5198f4a656537d07249b479f484723c40ec94b783c7b7026dde39983b93e3c4c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

MD5 c21e0461fd9a26b7e114e1086855cb64
SHA1 438c7ae5e75d0760a69908649b8581fac233001a
SHA256 177cd4d4aeed795c2f14c7b9f51f53cb954bfa7fa4c0c8dc7efec6e05707288d
SHA512 ffd7b445f8eafdc0da4f9150011b722c74649cd6ba3728b02d2f9353d1a6004d5198f4a656537d07249b479f484723c40ec94b783c7b7026dde39983b93e3c4c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\437.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

MD5 e1819ae23b632c40d936f9f366016f2b
SHA1 4b5d1ef62f0d66bf392950692a53f62ca40ed6fd
SHA256 aa1dea0a495a7c6a82a0ab8ec23727a8d3df05b60472f905bff5cf6cb7e0063c
SHA512 e8d52171921413ef5a56a1b1068d8fd45fdfea2375177529a7bd596b955132d292e905bb0b6daf7f7975bf38066eb9cc99b67427fd94f809b53b02562581eab1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

MD5 e1819ae23b632c40d936f9f366016f2b
SHA1 4b5d1ef62f0d66bf392950692a53f62ca40ed6fd
SHA256 aa1dea0a495a7c6a82a0ab8ec23727a8d3df05b60472f905bff5cf6cb7e0063c
SHA512 e8d52171921413ef5a56a1b1068d8fd45fdfea2375177529a7bd596b955132d292e905bb0b6daf7f7975bf38066eb9cc99b67427fd94f809b53b02562581eab1

C:\Users\Admin\AppData\Local\Temp\437.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

MD5 e1819ae23b632c40d936f9f366016f2b
SHA1 4b5d1ef62f0d66bf392950692a53f62ca40ed6fd
SHA256 aa1dea0a495a7c6a82a0ab8ec23727a8d3df05b60472f905bff5cf6cb7e0063c
SHA512 e8d52171921413ef5a56a1b1068d8fd45fdfea2375177529a7bd596b955132d292e905bb0b6daf7f7975bf38066eb9cc99b67427fd94f809b53b02562581eab1

C:\Users\Admin\AppData\Local\Temp\503.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\503.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

MD5 e1819ae23b632c40d936f9f366016f2b
SHA1 4b5d1ef62f0d66bf392950692a53f62ca40ed6fd
SHA256 aa1dea0a495a7c6a82a0ab8ec23727a8d3df05b60472f905bff5cf6cb7e0063c
SHA512 e8d52171921413ef5a56a1b1068d8fd45fdfea2375177529a7bd596b955132d292e905bb0b6daf7f7975bf38066eb9cc99b67427fd94f809b53b02562581eab1

C:\Users\Admin\AppData\Local\Temp\503.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\60D.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/2496-131-0x0000000000A70000-0x0000000000AAE000-memory.dmp

memory/1904-132-0x0000000000E90000-0x0000000000ECE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\727.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\727.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/888-144-0x0000000000590000-0x00000000005B0000-memory.dmp

memory/2496-145-0x00000000731A0000-0x000000007388E000-memory.dmp

memory/888-146-0x0000000004880000-0x00000000048C0000-memory.dmp

memory/888-147-0x00000000731A0000-0x000000007388E000-memory.dmp

memory/888-148-0x0000000004880000-0x00000000048C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6C.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\B6C.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/892-156-0x00000000006D0000-0x000000000072A000-memory.dmp

memory/892-157-0x0000000000400000-0x0000000000470000-memory.dmp

memory/888-158-0x0000000004880000-0x00000000048C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFAC.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2496-179-0x00000000731A0000-0x000000007388E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\126F.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/888-181-0x0000000004880000-0x00000000048C0000-memory.dmp

memory/2180-182-0x00000000731A0000-0x000000007388E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\126F.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/2180-183-0x0000000000B90000-0x0000000000BAE000-memory.dmp

memory/888-184-0x00000000731A0000-0x000000007388E000-memory.dmp

memory/888-191-0x0000000004880000-0x00000000048C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2FCF.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2444-192-0x00000000731A0000-0x000000007388E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2FCF.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/888-186-0x0000000004880000-0x00000000048C0000-memory.dmp

memory/2496-193-0x00000000071E0000-0x0000000007220000-memory.dmp

memory/888-194-0x00000000021E0000-0x00000000021FE000-memory.dmp

memory/2444-195-0x00000000008D0000-0x000000000092A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar4945.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55338c6320d0a00b899bf827b31e195d
SHA1 0fc226c4efafd6a870e8dc1e2c46dd6c2ad29b45
SHA256 3deca3162819faee29ab7877bafce2362a52ce1b4cc509bee2e946b97cb3c34a
SHA512 0bd8d7c41bf4363cff202bb0c3075cd56fba788ad388940e96b2f9584f80b5d53ba23502790f06a7ac7df272c5206002fe9bd930b6524943082e09c43160acb2

C:\Users\Admin\AppData\Local\Temp\4F71.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/1928-254-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/1928-256-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/1928-264-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1928-266-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/1804-268-0x0000000000DB0000-0x0000000000ECB000-memory.dmp

memory/1928-267-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/888-271-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-272-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-274-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-276-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-278-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-280-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-282-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-299-0x00000000021E0000-0x00000000021F8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 710b555bb460010da34f8b26e925f6e6
SHA1 c49b1492e0df8efef8878180300edaa51acd23af
SHA256 da9b463c580d7defa50e0e9bbdc474360ac3a93d8f54f178d9247be7708b21cf
SHA512 54c8e6259d57e1fad09f8eb8fc26acf2a8be2fd0c6290241c1d9f91ab0c19d4c619c54706d6d55357ecb7bd1db94bbe4311bd5e68b6e1c587b0279a2d5bc72f3

memory/888-303-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-305-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-308-0x00000000021E0000-0x00000000021F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\857F.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/1880-330-0x00000000012D0000-0x0000000001728000-memory.dmp

memory/888-329-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-336-0x00000000021E0000-0x00000000021F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\857F.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/888-347-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-310-0x00000000021E0000-0x00000000021F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A2DF.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\A2DF.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/1716-458-0x0000000000020000-0x000000000003E000-memory.dmp

\Users\Admin\AppData\Local\Temp\A2DF.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

\Users\Admin\AppData\Local\Temp\A2DF.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\D49A.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\D49A.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1880-496-0x00000000731A0000-0x000000007388E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E58C.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JORLV5PC\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/888-541-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/888-539-0x00000000021E0000-0x00000000021F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\E58C.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\E58C.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2232-488-0x0000000004A50000-0x0000000004E48000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 eaed0fb9950f8a541ec5e5f37f33e287
SHA1 367ae917a03de4fb804d8f5ab9d764a22e2e33d3
SHA256 23e31500e2c4f38c072eb8074258233d001938cc64c3b2b7ae4ca69ad71de1e1
SHA512 ef800a798064a80abb2092df84e743878fd83be960a292f79d4af920ac9312d32653167218193681c42881e7f963fcc14de539b69118ee328717de6413ac02a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/888-625-0x00000000731A0000-0x000000007388E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dfb8a1903961f4d77794eb1fa75cf8c
SHA1 3978f0eba3126961a85861c3e55e33814d8ac292
SHA256 b77f843390d3bc4450e433d2387f5beb17e1ca5155c665fcd9f0ab424fb32c42
SHA512 1c2c7591481049410c8ce37443cd624a38f3378a75fca754a830e438084aedef58309272f21f9d5355d21b21a8a631f2e18fae6a761e7450c66f8067bcbc4725

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e0d288069873ec15c133ba7735a3be3
SHA1 16b42d9dc07d4dbc179cd21ff79bb6f1880a235b
SHA256 f7b8e389fd2dd3b5fb6577c4cb30d4c9e50bf3dc79c00b9dc597fef60013bfbb
SHA512 82a5cb36dc48481da745a2676f651b4688db57ac0c015c39003c68570c0fbc80d755bf82e53a02b836d832f8e6caaa7a399ef80d90de02a972776582a1a2d476

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 22170bb9a98a30a3c51baee90a2435c4
SHA1 6b3baddaa85b31c5fc14a6db7e1955b83e532118
SHA256 030e2bc180d722fd530dacffb853654d676baefa4cf36637f447d800663834e6
SHA512 8302e3985b54576d5ca909643cd216b534c8540a76ca84556dbadeca3c929d78d1164065b4ab279d8678c41ea8181d3ad34cac93cfa05e729b10ee72508636d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc0cab3ca46713c2d9fa53c08643642d
SHA1 71d313f715c3ab66eb947b857fabaa55289e33a3
SHA256 c55a9bad072268e666c16a1a79b1364758ee2f0de2a979ae3173201f85b3290b
SHA512 88de2f241c871ab447d0fb8e7f5ddd9950556d67a5035b08f0aa4c4f689530fdf17de4d803c26e3cacdc9c7536ac6a3e9d17ce6b51c2fa6333b830c70d29cd98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2ab0a3b3a58f0bc6c540cc7ffc17bde
SHA1 c4d462043a88ec52639d3ef68fff56b55f3948e5
SHA256 cce988fbe2664f7a341266ba90ca0d8c9f67c68035e0d407a02545faabcde894
SHA512 478e34c5a3a89f6223aca1efce16aa9980aaab308446f80bbda210210e20dc94ad6df2f64fb9eff3ce26f317b69be351f82e2efceb3eeb5c34a533188a01d798

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 980689cd20f4d94357c403c9e42052d9
SHA1 312107e3cf33a5fdeafa9ba5257e9a5790ee8b40
SHA256 32b10fafa52b045b642d2399e16c99e108945e61664036da9ee0938c4de964b4
SHA512 9dfc09ae3255a85ed6f10d0f8d2689601e2bceb568e77f84fea1a9327da5a3945376d9282bd0860f8c4afb854e04f2b35f8fd67b529da5f99a34e97244c7d608

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f576be129b02292d3a40c7fb4b242d10
SHA1 3f0c9fb412d9ade09eed65324532861189f412ba
SHA256 378afa9427d8841050b9dbe5638e86092feb608d9f7cd5d82af25ded07eecbc7
SHA512 b81e33adac5a02f2affcb55d20eb48dfe90a28b8d1bc34e45e5fd6dcb84876cb41da6ab1e22c5dd9313b4081cca4492bb8ea6605d8969e7cfcaa9cc25b361be7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84754e8f471fb1bbf55080b990d86546
SHA1 eba9362c0a1274bb5422c124d0c9bc9f9a99f6b0
SHA256 56998177fbc60e6e6312222d29207fa69f770ec49d24d72ea32b64c1ef0c3649
SHA512 61a3aba21ac8ba96e12a64782272703052d9bfe9c64b580a6949d3be938a35d1e8a31788cefda24bb996bb7710537525b10b8df49fdfab4a290393a999157e4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b93a9527fdf267d8c396ee4cbf30657
SHA1 6109e464796c353d04ef865597161682993ce7e9
SHA256 9dddf3f2216bc1199252a90fa73ab2791ddecdeb2d550238fdc27296219b3b75
SHA512 23711aba9afd3af919e2f905e2be9d6b830a9011dafd647179c1c80522b69f7fd69639e3c46bf616e10432d9a4ed5715cc4b1261b6207ab16ef35be4864f01e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a21ac9420241fca52e0fa19a5999b39f
SHA1 b9d100cba3633cb1321cd95f7c2e4de7a33a95ff
SHA256 be414c4f4ed2644e32328185bbaf5b3f6aa6b1fc0cd8d847918372cbe589a9e1
SHA512 8adac1d5215ec5f681dd8758e907c303679ccea387ddf5e2ebee989d17b14e7a962e02fcae646bb4bd93997fbd33d325ec796547220d52c57848fbe3534fbe6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0af2b2b47d9db8ce41240ee295247d1f
SHA1 da61b676fed518180440119c5000f218a3c16ad0
SHA256 df99c6cf3410529b651733a9c37a96a55449f8b767c954d5b0601050d367febd
SHA512 2bf56e69f95cecc3cec7a8fb1833548c65604c07da50f1b2cd6c000efe4a8e8ef85b83b9c7dae766eefd865c08697227d5b150ca5ddb2b39825fa974e9c72607

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b09a97f4b73a0c50c6bf8e187bd8c037
SHA1 26307a89031e54cd1acd1402a7c62f904a67399d
SHA256 5043800c98ebd21a7e53cd93b46c7396db3a50d784303980387ac7ab9e7f4017
SHA512 d5b7ce976a9f22b2b0f193fc3a0ddf5c25d9587b8e1b46dae4690677cbbc0a16940856559289ea77c438815f81c50930e3325d88dd0bb3750fb045a0dddb93ba

memory/1928-1199-0x00000000731A0000-0x000000007388E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 20:01

Reported

2023-10-18 20:03

Platform

win10v2004-20230915-en

Max time kernel

153s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E2B4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F97D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DF84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E12B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E5D3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E6DE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F97D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\585A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DEB7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\D2.exe'\"" C:\Users\Admin\AppData\Local\Temp\D2.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E1F8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E5D3.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe
PID 3164 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe
PID 3164 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe
PID 3164 wrote to memory of 556 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF84.exe
PID 3164 wrote to memory of 556 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF84.exe
PID 3164 wrote to memory of 556 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF84.exe
PID 3884 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 3884 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 3884 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\DEB7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe
PID 3164 wrote to memory of 4600 N/A N/A C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 4600 N/A N/A C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2276 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 2276 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe
PID 3164 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\E12B.exe
PID 3164 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\E12B.exe
PID 3164 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\E12B.exe
PID 2232 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe
PID 2232 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe
PID 2232 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe
PID 3164 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1F8.exe
PID 3164 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1F8.exe
PID 3164 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1F8.exe
PID 1112 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe
PID 1112 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe
PID 1112 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe
PID 3164 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe
PID 3164 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe
PID 3164 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe
PID 1112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe
PID 1112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe
PID 1112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe
PID 3164 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe
PID 3164 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe
PID 3164 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe
PID 4600 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5D3.exe
PID 3164 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5D3.exe
PID 3164 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5D3.exe
PID 3164 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6DE.exe
PID 3164 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6DE.exe
PID 3164 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6DE.exe
PID 1844 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1844 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1844 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\E2B4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2340 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2340 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED28.exe
PID 3164 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED28.exe
PID 3164 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED28.exe
PID 3596 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3596 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3596 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3596 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe

"C:\Users\Admin\AppData\Local\Temp\2C1D44E8AD9067E940192DAAD5D2F936.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1676 -ip 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 136

C:\Users\Admin\AppData\Local\Temp\DEB7.exe

C:\Users\Admin\AppData\Local\Temp\DEB7.exe

C:\Users\Admin\AppData\Local\Temp\DF84.exe

C:\Users\Admin\AppData\Local\Temp\DF84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E06F.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

C:\Users\Admin\AppData\Local\Temp\E12B.exe

C:\Users\Admin\AppData\Local\Temp\E12B.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

C:\Users\Admin\AppData\Local\Temp\E1F8.exe

C:\Users\Admin\AppData\Local\Temp\E1F8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

C:\Users\Admin\AppData\Local\Temp\E2B4.exe

C:\Users\Admin\AppData\Local\Temp\E2B4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

C:\Users\Admin\AppData\Local\Temp\E507.exe

C:\Users\Admin\AppData\Local\Temp\E507.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\E5D3.exe

C:\Users\Admin\AppData\Local\Temp\E5D3.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8009046f8,0x7ff800904708,0x7ff800904718

C:\Users\Admin\AppData\Local\Temp\ED28.exe

C:\Users\Admin\AppData\Local\Temp\ED28.exe

C:\Users\Admin\AppData\Local\Temp\E6DE.exe

C:\Users\Admin\AppData\Local\Temp\E6DE.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\F97D.exe

C:\Users\Admin\AppData\Local\Temp\F97D.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\FD95.exe

C:\Users\Admin\AppData\Local\Temp\FD95.exe

C:\Users\Admin\AppData\Local\Temp\D2.exe

C:\Users\Admin\AppData\Local\Temp\D2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\6AF.exe

C:\Users\Admin\AppData\Local\Temp\6AF.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8009046f8,0x7ff800904708,0x7ff800904718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16636521939607541025,804941507752388752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\585A.exe

C:\Users\Admin\AppData\Local\Temp\585A.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=FD95.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80ffe46f8,0x7ff80ffe4708,0x7ff80ffe4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=FD95.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80ffe46f8,0x7ff80ffe4708,0x7ff80ffe4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,12255902027680094099,12541823803021217471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
IT 185.196.9.65:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
NL 85.209.176.128:80 tcp
FI 77.91.124.71:4341 tcp
BG 171.22.28.239:42359 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 239.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 10.5.240.157.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 api.ip.sb udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 172.67.75.172:443 api.ip.sb tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 188.114.96.0:80 hellouts.fun tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 52.211.144.29:443 mscom.demdex.net tcp
US 8.8.8.8:53 29.144.211.52.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 104.208.16.89:443 browser.events.data.microsoft.com tcp
US 188.114.96.0:80 hellouts.fun tcp
US 104.208.16.89:443 browser.events.data.microsoft.com tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 29.144.211.52.in-addr.arpa udp
US 8.8.8.8:53 e6e408de-8b12-4f9d-955c-26e48f21af2e.uuid.statsexplorer.org udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 server8.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.128.127:19302 stun.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server8.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
BG 185.82.216.108:443 server8.statsexplorer.org tcp

Files

memory/1672-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1672-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3164-2-0x0000000006D70000-0x0000000006D86000-memory.dmp

memory/1672-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEB7.exe

MD5 16955aa756f27b09ce5afee49b0cff3d
SHA1 8b3325d2d3e7492fdd4b4d338c3a7fe6695d5a6b
SHA256 7ef1c88779b24385529bdb7851a24873b5f9a25636e8ca41d898701c542f5488
SHA512 941a72f9bd359dade16000dcd0c229929f8e245147a81f9a7c7ae92ed5d601950685392726e4feea9a92d2e1b19b2b26b4f323ba463589e31ad4199a1c2a4864

C:\Users\Admin\AppData\Local\Temp\DEB7.exe

MD5 16955aa756f27b09ce5afee49b0cff3d
SHA1 8b3325d2d3e7492fdd4b4d338c3a7fe6695d5a6b
SHA256 7ef1c88779b24385529bdb7851a24873b5f9a25636e8ca41d898701c542f5488
SHA512 941a72f9bd359dade16000dcd0c229929f8e245147a81f9a7c7ae92ed5d601950685392726e4feea9a92d2e1b19b2b26b4f323ba463589e31ad4199a1c2a4864

C:\Users\Admin\AppData\Local\Temp\DF84.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\DF84.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

MD5 9dc91c90f1081cce18c6c14973e82dca
SHA1 e8cf0962934193f2058ff3ca77c67f5becd04978
SHA256 6c30f060ff56625258523569350be1f9fb286010107ee22c5f0fcdebc4ca6332
SHA512 c6f94f23498369a896eb133ca3c160eaacac694022f11c75b2c8aef4365db2db421306739ee7d7ee1fa074a44829284f3a854c2e5be43acc83869e65c44b57c5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np7fR4me.exe

MD5 9dc91c90f1081cce18c6c14973e82dca
SHA1 e8cf0962934193f2058ff3ca77c67f5becd04978
SHA256 6c30f060ff56625258523569350be1f9fb286010107ee22c5f0fcdebc4ca6332
SHA512 c6f94f23498369a896eb133ca3c160eaacac694022f11c75b2c8aef4365db2db421306739ee7d7ee1fa074a44829284f3a854c2e5be43acc83869e65c44b57c5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

MD5 c2fb604a2393f31e38ee739e63eec337
SHA1 322ee8dc72eda1bc77d1ed597a8cdf3d86ae884a
SHA256 9629fc63dda0e6e43ea7e80106a13edb79606308e537ad3fb93ce557470b1a73
SHA512 701c6c8c39c9cf145b7e2d5d501347e803f3f0a8f32d9a281fc5a2f4e5d857dd3646ba577c8771cf1230cde73cec70277ce55962f8d634aba84d2b11e7d5c75c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC1qe8si.exe

MD5 c2fb604a2393f31e38ee739e63eec337
SHA1 322ee8dc72eda1bc77d1ed597a8cdf3d86ae884a
SHA256 9629fc63dda0e6e43ea7e80106a13edb79606308e537ad3fb93ce557470b1a73
SHA512 701c6c8c39c9cf145b7e2d5d501347e803f3f0a8f32d9a281fc5a2f4e5d857dd3646ba577c8771cf1230cde73cec70277ce55962f8d634aba84d2b11e7d5c75c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

MD5 6ba000c64a29c44479de6f4d3f585d08
SHA1 f4117a6be5d4b7f5d51e52a9757d814f9be67a85
SHA256 6aa73fe8f60d2520e9a4eb9aab61cc0070e85a845244993c6b0aa4409cb975c2
SHA512 f25ec5fb7dc9d183aee09d6faf8cf1004f6f01feec6ae3b52f51115a8ebd7a274c05ccb3485cf5fa853914571e03a90e033c844e9aac509e5710d632dc4f77ed

C:\Users\Admin\AppData\Local\Temp\E12B.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mu8PS4vN.exe

MD5 6ba000c64a29c44479de6f4d3f585d08
SHA1 f4117a6be5d4b7f5d51e52a9757d814f9be67a85
SHA256 6aa73fe8f60d2520e9a4eb9aab61cc0070e85a845244993c6b0aa4409cb975c2
SHA512 f25ec5fb7dc9d183aee09d6faf8cf1004f6f01feec6ae3b52f51115a8ebd7a274c05ccb3485cf5fa853914571e03a90e033c844e9aac509e5710d632dc4f77ed

C:\Users\Admin\AppData\Local\Temp\E06F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

MD5 c21e0461fd9a26b7e114e1086855cb64
SHA1 438c7ae5e75d0760a69908649b8581fac233001a
SHA256 177cd4d4aeed795c2f14c7b9f51f53cb954bfa7fa4c0c8dc7efec6e05707288d
SHA512 ffd7b445f8eafdc0da4f9150011b722c74649cd6ba3728b02d2f9353d1a6004d5198f4a656537d07249b479f484723c40ec94b783c7b7026dde39983b93e3c4c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wF2ce4eE.exe

MD5 c21e0461fd9a26b7e114e1086855cb64
SHA1 438c7ae5e75d0760a69908649b8581fac233001a
SHA256 177cd4d4aeed795c2f14c7b9f51f53cb954bfa7fa4c0c8dc7efec6e05707288d
SHA512 ffd7b445f8eafdc0da4f9150011b722c74649cd6ba3728b02d2f9353d1a6004d5198f4a656537d07249b479f484723c40ec94b783c7b7026dde39983b93e3c4c

C:\Users\Admin\AppData\Local\Temp\E1F8.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\E1F8.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\E12B.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ly87pI3.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\E2B4.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\E2B4.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

MD5 e1819ae23b632c40d936f9f366016f2b
SHA1 4b5d1ef62f0d66bf392950692a53f62ca40ed6fd
SHA256 aa1dea0a495a7c6a82a0ab8ec23727a8d3df05b60472f905bff5cf6cb7e0063c
SHA512 e8d52171921413ef5a56a1b1068d8fd45fdfea2375177529a7bd596b955132d292e905bb0b6daf7f7975bf38066eb9cc99b67427fd94f809b53b02562581eab1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gr226RS.exe

MD5 e1819ae23b632c40d936f9f366016f2b
SHA1 4b5d1ef62f0d66bf392950692a53f62ca40ed6fd
SHA256 aa1dea0a495a7c6a82a0ab8ec23727a8d3df05b60472f905bff5cf6cb7e0063c
SHA512 e8d52171921413ef5a56a1b1068d8fd45fdfea2375177529a7bd596b955132d292e905bb0b6daf7f7975bf38066eb9cc99b67427fd94f809b53b02562581eab1

memory/3712-74-0x0000000000150000-0x000000000018E000-memory.dmp

memory/2872-73-0x00000000004B0000-0x00000000004EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E507.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/1556-76-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1556-75-0x0000000002440000-0x0000000002460000-memory.dmp

memory/1556-84-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/2872-82-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1556-87-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2872-91-0x0000000007270000-0x0000000007302000-memory.dmp

memory/1556-86-0x0000000002650000-0x000000000266E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E507.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/1556-98-0x0000000002650000-0x0000000002668000-memory.dmp

memory/3712-104-0x00000000070D0000-0x00000000070DA000-memory.dmp

memory/1556-106-0x0000000002650000-0x0000000002668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3712-111-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/2936-108-0x0000000073F00000-0x00000000746B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1556-102-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1556-101-0x0000000002650000-0x0000000002668000-memory.dmp

memory/2936-110-0x0000000000840000-0x000000000089A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5D3.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/2872-113-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/1556-112-0x0000000002650000-0x0000000002668000-memory.dmp

memory/3712-120-0x0000000007FC0000-0x00000000085D8000-memory.dmp

memory/3192-122-0x0000000000F80000-0x0000000000F9E000-memory.dmp

memory/1556-116-0x0000000002650000-0x0000000002668000-memory.dmp

memory/1556-123-0x0000000002650000-0x0000000002668000-memory.dmp

memory/3712-124-0x0000000007270000-0x000000000737A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6DE.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3712-97-0x0000000073F00000-0x00000000746B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6DE.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3712-85-0x00000000073F0000-0x0000000007994000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5D3.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\ED28.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/1556-127-0x0000000002650000-0x0000000002668000-memory.dmp

memory/2764-134-0x0000000002080000-0x00000000020DA000-memory.dmp

memory/2936-132-0x0000000007800000-0x0000000007810000-memory.dmp

memory/3192-129-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/2872-128-0x0000000007510000-0x0000000007522000-memory.dmp

memory/1556-133-0x0000000002650000-0x0000000002668000-memory.dmp

memory/2764-135-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3192-131-0x0000000005870000-0x00000000058AC000-memory.dmp

memory/1556-140-0x0000000002650000-0x0000000002668000-memory.dmp

memory/3192-143-0x00000000033D0000-0x000000000341C000-memory.dmp

memory/1556-146-0x0000000002650000-0x0000000002668000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/2764-153-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1556-144-0x0000000002650000-0x0000000002668000-memory.dmp

memory/3192-139-0x00000000059C0000-0x00000000059D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED28.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/1556-154-0x0000000002650000-0x0000000002668000-memory.dmp

memory/1556-157-0x0000000002650000-0x0000000002668000-memory.dmp

memory/1556-161-0x0000000002650000-0x0000000002668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F97D.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/3676-166-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1556-167-0x0000000002650000-0x0000000002668000-memory.dmp

memory/2764-168-0x0000000007660000-0x0000000007670000-memory.dmp

memory/1556-175-0x0000000002650000-0x0000000002668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD95.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/2936-177-0x00000000081D0000-0x0000000008236000-memory.dmp

memory/1556-170-0x0000000002650000-0x0000000002668000-memory.dmp

memory/3676-165-0x0000000000BC0000-0x0000000001018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F97D.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

C:\Users\Admin\AppData\Local\Temp\D2.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\D2.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2872-190-0x0000000073F00000-0x00000000746B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\??\pipe\LOCAL\crashpad_2340_MVATVYBVMNWRVVPC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3712-230-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1556-232-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/4624-235-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3676-233-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/4624-229-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/4744-237-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/2936-238-0x0000000073F00000-0x00000000746B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6AF.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\6AF.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/4140-225-0x0000000000630000-0x000000000074B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1556-212-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/4140-194-0x0000000000630000-0x000000000074B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/1556-184-0x0000000073F00000-0x00000000746B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD95.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/4744-183-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4744-241-0x0000000007C80000-0x0000000007C90000-memory.dmp

memory/2872-242-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/3192-243-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1944-244-0x0000000004CC0000-0x00000000050C1000-memory.dmp

memory/1944-245-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/2936-246-0x0000000007800000-0x0000000007810000-memory.dmp

memory/3192-247-0x00000000059C0000-0x00000000059D0000-memory.dmp

memory/1944-248-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1944-249-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 75a2a63c050bf40537895aaedacc30e2
SHA1 61db68aa0e718af75f4e82d3b8938c78d0ce06e4
SHA256 2cdfcc46cc10530eb382702d6a806aa7e7ecc17e8dd45ec008e4c0f2d5927baf
SHA512 e72c401d1a1375d61f5cd57753fd59502c19acc8fc7cdf0969dc46bb1db449523dd38b2f065510b7646b94783eccfc642800a5b65fdc7843aec5f3c3bafca53b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f48087fe10e0d494150c3333f88389e3
SHA1 7d9b7427389a96ff9b8d26cdb15414bcac497bf6
SHA256 26f0341c3054d79f05eb79a619a691ce2f17316b132c300ce083f29a67cba644
SHA512 a7e8a6cd04d856250589e9868c3a45e9d51207a449fdba5c4c27d363caa4e8ad3edae82a51d40e68ce6ecd773cf0b482e39ac6aee7e700d43d670acec2116987

memory/2764-270-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/2764-280-0x0000000007660000-0x0000000007670000-memory.dmp

memory/4744-282-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/2764-283-0x00000000088C0000-0x0000000008936000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1556-292-0x0000000073F00000-0x00000000746B0000-memory.dmp

memory/1944-299-0x0000000004CC0000-0x00000000050C1000-memory.dmp

memory/2764-300-0x00000000089A0000-0x0000000008B62000-memory.dmp

memory/4744-302-0x0000000009C90000-0x000000000A1BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\585A.exe

MD5 87ceec7ff9c4b500d3b5c931e2ad6b71
SHA1 40e4c30d5653d6cd0a8311a361b08eba02d2305a
SHA256 0353c39d30bfa45379ed1334b49064a58244abf5c8ff31183dae2b7326fd0e04
SHA512 8a3ba7eb529a5bbf160adca6ee461d81e09e499eef35be22ad513fbeed9eb11658a6ff083f8d9d153d239a21017130d390fa8151b495ede4ef26617bfb65f06c

memory/1944-309-0x00000000050D0000-0x00000000059BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 75a2a63c050bf40537895aaedacc30e2
SHA1 61db68aa0e718af75f4e82d3b8938c78d0ce06e4
SHA256 2cdfcc46cc10530eb382702d6a806aa7e7ecc17e8dd45ec008e4c0f2d5927baf
SHA512 e72c401d1a1375d61f5cd57753fd59502c19acc8fc7cdf0969dc46bb1db449523dd38b2f065510b7646b94783eccfc642800a5b65fdc7843aec5f3c3bafca53b

memory/1944-314-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2764-315-0x00000000091A0000-0x00000000091BE000-memory.dmp

memory/4744-316-0x00000000094B0000-0x0000000009500000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 0998ac9150bdc6f7d8e828c9852a47bd
SHA1 02d3c524e6b9b71dcdff25052a73cc7f0f1ccd8f
SHA256 2aabf080db8689c6eb19b9fd7d9a5633aa7c52699513adb704b68138f5f635f8
SHA512 0d5b978515086ac3b59e4177b4e257c781dd7881f09aed18f92f30498bcf03a852381765ed6ceaa7c4853160e0dd5b82566ec81f3c64b1d87f9671aa8b69d432

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a9399b4e9d0277fe3d25cc749c24f3a6
SHA1 c430929bde4c1ded8e8fc284fd5927a52b1c5f2b
SHA256 8af9f711e403e94a742e9f7b1982cb39de8ec16b0ac83b0a790190ebdff2c635
SHA512 3133d21aa003dfade152b105c9bd2a4c007f06fb432ef39c882d257968256cd98b7849cd67ef98b4d015ee6a9e3c46f34575f4f9f5e112021e27e0cbf9ec964e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b15bc5ec9a02c7ab27847d125ad89e34
SHA1 24602568977b2e2891734bf6849f45c8fd0b2327
SHA256 a0289133ca38ff4ae6e19253cb9417ab523beaf90a745a753358280769599b05
SHA512 f0d7fb5a75327f962f4cf65724d09836c0ac2f2e59839dffa6a9a1bb6d18bfd952ed46b9cfcfb14c880147ee235f14873cd11d9a3754c07a077853d9c20ef0fd

memory/5260-336-0x00007FF600D20000-0x00007FF601827000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 4a078fb8a7c67594a6c2aa724e2ac684
SHA1 92bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256 c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512 188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4bb6fd6205bea1fd8a777e77f7e0fe11
SHA1 0ed13c7f0fb0ab74db6bd2c1f2c179f21661a886
SHA256 359068c904d0075caaf5b739040334b186c114d07f00c44d069ce2929a26c61e
SHA512 6e24bb7d5bdb04e37a6a1a83bf32dd577cce5d4cf44ff4a698a61d9244c0309f8fd17304bf011fc0bfe592a99ddddd47f4c89c7166e5aff8f2da13132da7bede

memory/1944-378-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kf30dxuw.x0t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5260-422-0x00007FF600D20000-0x00007FF601827000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0026a30270675d2eebe7f4138e5b62be
SHA1 a2ef9b2747698783840cf8e86628b8bf8184bcfe
SHA256 af19cd1274ec77aa28a440703264c282afd2fdab6a2fd64cd3bbe4421ba0786a
SHA512 25ef5564f37874070b28ac30db8874423ec1ca13d15d7668081a2fe3ae88267f47ca337b4142e78f3924fa632fc9b8e54b8491dae4ff82a69d8ffd53c7b3cb9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eba3db1bbe84a43fe1ada9f9c15b7957
SHA1 fcd885f11ce893d5678677d0522311c6998da006
SHA256 228f4aaeec34c0b304edf70ecb6afe7579b0da3b9fba79c48a50698e94efbd12
SHA512 66df9be45fd374db6926aa3a5d1b4d91f861163829aeb380f35e6eb63dab4274057abc9ab7cdc123fb41e78a6ca8b75cb5f6d750d8fe0e1d80a5978b58fe87c1

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1944-496-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f3e25c69-4fe2-4424-a700-505e07c6efbb.tmp

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1944-534-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5260-539-0x00007FF600D20000-0x00007FF601827000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f07e753cc604d9c48be90a737dd3c30a
SHA1 b53970bd5e118a31c7ad2f2c39d4b58032dc7df5
SHA256 01b8b58b07f47b4a4ae3bbe0bc2c2ecdda204e70a88c0392b9795a9455ba4177
SHA512 850e05f4916916ec64fb8843aec0b209952e132186737ee012965c908f53bb59bde6ba70fbfb3b83740d1ed0770e34b6a4a7409e9f75f6296fa5ffce0f32f0ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ce9f2c4a953d6817f45576c325d2f809
SHA1 086cc3b02ad55ba36036b39f9d7469e5e641fd78
SHA256 9fa4b70a383b0829936ed5d77f05357b844d7a32478db505343b8cb4777ccb8c
SHA512 59980095408e7b62c3e775b5303e321ebf4ffcaca6fa92a54b2613c22951a0f43918adfeddb18099533552ab865e9c25aaf14b316bbffb2aace9e6fc7aa5e0e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e896.TMP

MD5 32789e5d078de1b758c0f768ba8bf694
SHA1 c3063ec1edb3f0624bd2cf3edbf82a6571ea6929
SHA256 8496e271ae881128014fef51c8cc2610b9c8f2f09d8e73ebb92937c928041476
SHA512 05e6ad34043233fd3beeca925f10eb8f2e052fee0d07429b2afcd3e7ae4613c98db0a2b98b71f8af77c41c5ccb9db7b532fdfb1d31e45925e1a6774b59badd59

memory/5040-610-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5260-623-0x00007FF600D20000-0x00007FF601827000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 95d22edebb7840f82e891da86c973d4a
SHA1 098305821b2e9d42cc299cf17f937593c38d2a08
SHA256 e52eb34247125ac69026b1a54234b8331f1d7e6954d5c855eed8a81dbd91770c
SHA512 59e1fb03249952d496308bfe68f9f163db006498c34f8adbc04ecbfe1fb91008a23330f6616cd27f32bd4232dde62c9397bd447c05271b8ca571ffdc0a6182cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe590dc2.TMP

MD5 67d2849faf9b8a0cc219be678eca5151
SHA1 79491ccdaa0957d6d80a7e9892ec4d7df4435ccb
SHA256 8f60cac1905e9186e6e5f01c2ab8eaca754fe03bedd493530553b49d4fc2a265
SHA512 ecda5aa2fe7f774ae9b174b9d25bfed1a1eedd2e96505f54fe180af1f904b5396cc44c302e9dbdbd7385116ee442c3141f2c9678e35c3ea598ac8d5e9c0f8d89

memory/5040-663-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5260-678-0x00007FF600D20000-0x00007FF601827000-memory.dmp